sality | 78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e

Modify Existing Service

T1031

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Windows security bypass 2 TTPs 6 IoCs

Disabling Security Tools

Modify Registry

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Executes dropped EXE 3 IoCs

Processes:

vncautoclick.exetapinstall.exetapinstall.exe

pid process

4244 vncautoclick.exe
1884 tapinstall.exe
3628 tapinstall.exe

pid	process
4244	vncautoclick.exe
1884	tapinstall.exe
3628	tapinstall.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2600-130-0x0000000002350000-0x00000000033DE000-memory.dmp	upx
behavioral2/memory/2600-133-0x0000000002350000-0x00000000033DE000-memory.dmp	upx
behavioral2/memory/2600-163-0x0000000002350000-0x00000000033DE000-memory.dmp	upx

Loads dropped DLL 9 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

pid	process
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Windows security modification 2 TTPs 7 IoCs

Disabling Security Tools

Modify Registry

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
File opened (read-only)	\??\L:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\M:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\Q:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\U:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\Z:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\I:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\S:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\V:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\W:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\X:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\H:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\K:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\N:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\O:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\P:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\R:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\T:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\Y:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\G:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\F:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\J:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened (read-only)	\??\E:	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description ioc process

File opened for modification C:\autorun.inf 78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
File opened for modification	C:\autorun.inf	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Drops file in System32 directory 9 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\sslvna.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\vna0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4EB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4EB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4EC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4EC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\vna0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4FC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\SETC4FC.tmp	DrvInst.exe

Drops file in Program Files directory 39 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\sslservice.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\mfc100.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\msvcr100.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\driver\sslvna.inf	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\HTCSPApi.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\SpOrder.Dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\SKFAPI.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\tapinstall.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\NonIFSLSP.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\GEC00001.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\msvcp100.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\vncautoclick.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\KeySniffer.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\sso_client.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\addtap.bat	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\driver\vna0901.sys	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\config\backgroud.bmp	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\driver\vna0901.cat	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\msvcrt.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\SSLVPNCSClient.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\sslvpn.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\deltapall.bat	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\config\default.gif	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\HTCSPApi.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\GEC00001.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\SkipCertAlert.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\sslvpncp.exe	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File created	C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\GEA00001.dll	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Drops file in Windows directory 4 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exetapinstall.exesvchost.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

tapinstall.exesvchost.exetapinstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

tapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60103000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b817e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	tapinstall.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

pid	process
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	pid	process
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
Token: SeDebugPrivilege	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vncautoclick.exe

pid process

4244 vncautoclick.exe
4244 vncautoclick.exe

pid	process
4244	vncautoclick.exe
4244	vncautoclick.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exenet.exesvchost.exeDrvInst.exe

description	pid	process	target process
PID 2600 wrote to memory of 784	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 792	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 384	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	dwm.exe
PID 2600 wrote to memory of 2364	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	sihost.exe
PID 2600 wrote to memory of 2376	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 2704	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	taskhostw.exe
PID 2600 wrote to memory of 2652	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	Explorer.EXE
PID 2600 wrote to memory of 3016	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 3268	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	DllHost.exe
PID 2600 wrote to memory of 3372	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	StartMenuExperienceHost.exe
PID 2600 wrote to memory of 3436	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 3520	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	SearchApp.exe
PID 2600 wrote to memory of 3784	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 4300	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 1952	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	backgroundTaskHost.exe
PID 2600 wrote to memory of 4456	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 4620	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	net.exe
PID 2600 wrote to memory of 4620	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	net.exe
PID 2600 wrote to memory of 4620	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	net.exe
PID 4620 wrote to memory of 1492	4620	net.exe	net1.exe
PID 4620 wrote to memory of 1492	4620	net.exe	net1.exe
PID 4620 wrote to memory of 1492	4620	net.exe	net1.exe
PID 2600 wrote to memory of 4244	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	vncautoclick.exe
PID 2600 wrote to memory of 4244	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	vncautoclick.exe
PID 2600 wrote to memory of 4244	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	vncautoclick.exe
PID 2600 wrote to memory of 1884	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	tapinstall.exe
PID 2600 wrote to memory of 1884	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	tapinstall.exe
PID 2600 wrote to memory of 3628	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	tapinstall.exe
PID 2600 wrote to memory of 3628	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	tapinstall.exe
PID 4980 wrote to memory of 1264	4980	svchost.exe	DrvInst.exe
PID 4980 wrote to memory of 1264	4980	svchost.exe	DrvInst.exe
PID 1264 wrote to memory of 4796	1264	DrvInst.exe	rundll32.exe
PID 1264 wrote to memory of 4796	1264	DrvInst.exe	rundll32.exe
PID 2600 wrote to memory of 784	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 792	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 384	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	dwm.exe
PID 2600 wrote to memory of 2364	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	sihost.exe
PID 2600 wrote to memory of 2376	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 2704	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	taskhostw.exe
PID 2600 wrote to memory of 2652	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	Explorer.EXE
PID 2600 wrote to memory of 3016	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 3268	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	DllHost.exe
PID 2600 wrote to memory of 3372	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	StartMenuExperienceHost.exe
PID 2600 wrote to memory of 3436	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 3520	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	SearchApp.exe
PID 2600 wrote to memory of 3784	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 4300	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 4456	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe
PID 2600 wrote to memory of 4244	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	vncautoclick.exe
PID 2600 wrote to memory of 4244	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	vncautoclick.exe
PID 2600 wrote to memory of 3628	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	tapinstall.exe
PID 2600 wrote to memory of 3540	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	Conhost.exe
PID 2600 wrote to memory of 4796	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	rundll32.exe
PID 2600 wrote to memory of 784	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 792	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	fontdrvhost.exe
PID 2600 wrote to memory of 384	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	dwm.exe
PID 2600 wrote to memory of 2364	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	sihost.exe
PID 2600 wrote to memory of 2376	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 2704	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	taskhostw.exe
PID 2600 wrote to memory of 2652	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	Explorer.EXE
PID 2600 wrote to memory of 3016	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	svchost.exe
PID 2600 wrote to memory of 3268	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	DllHost.exe
PID 2600 wrote to memory of 3372	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	StartMenuExperienceHost.exe
PID 2600 wrote to memory of 3436	2600	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3520

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe
"C:\Users\Admin\AppData\Local\Temp\78087d3040620aedcf3732eb1b994646f65fdf8135319bba4999bb7b0be2b23e.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600

C:\Windows\SysWOW64\net.exe
net stop SSLVPNService
3⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SSLVPNService
4⤵
PID:1492

C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\vncautoclick.exe
"C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\vncautoclick.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\tapinstall.exe
"C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\tapinstall.exe" hwids vna0901
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1884

C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\tapinstall.exe
"C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\bin\tapinstall.exe" install "C:\Program Files (x86)\SSL VPN ¿Í»§¶Ë\driver\sslvna.inf" vna0901
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3540

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2376

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2364

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a8d94080-f6d2-9040-9e29-5188d8a2a5b3}\sslvna.inf" "9" "4aef3f52f" "0000000000000148" "WinSta0\Default" "0000000000000150" "208" "c:\program files (x86)\ssl vpn ¿í»§¶ë\driver"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{15dcea90-3e9b-8f4d-b33f-5947aaf228cc} Global\{4068cd11-006f-ef4f-9e93-44ed9c9cf098} C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\sslvna.inf C:\Windows\System32\DriverStore\Temp\{748e726b-78e6-9f40-b9b1-6927c237eab1}\vna0901.cat
3⤵
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

Bypass User Account Control

T1088

Disabling Security Tools

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery