djvu | 1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

g3rgg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g3rgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g3rgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g3rgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g3rgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	g3rgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g3rgg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g3rgg.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1928-105-0x0000000000230000-0x000000000023E000-memory.dmp	family_raccoon
behavioral1/memory/1928-106-0x0000000000400000-0x0000000000454000-memory.dmp	family_raccoon
behavioral1/memory/1884-108-0x00000000002A0000-0x00000000002B5000-memory.dmp	family_raccoon
behavioral1/memory/1884-109-0x0000000000400000-0x0000000000522000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 24 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\safert44.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\tag.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
C:\Program Files (x86)\Company\NewProduct\jshainx.exe	family_redline
behavioral1/memory/1368-116-0x0000000000950000-0x0000000000994000-memory.dmp	family_redline
behavioral1/memory/1352-117-0x0000000000CC0000-0x0000000000CE0000-memory.dmp	family_redline
behavioral1/memory/1604-115-0x0000000000E60000-0x0000000000E80000-memory.dmp	family_redline
behavioral1/memory/692-114-0x00000000010A0000-0x00000000010E4000-memory.dmp	family_redline
behavioral1/memory/1496-113-0x0000000001190000-0x00000000011C0000-memory.dmp	family_redline
behavioral1/memory/3516-205-0x0000000004CF0000-0x0000000004D38000-memory.dmp	family_redline
behavioral1/memory/2956-202-0x0000000002920000-0x000000000296A000-memory.dmp	family_redline
behavioral1/memory/3516-201-0x00000000029E0000-0x0000000002A2A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

lrPtX_Gb8SH8OaXKghIOS0Xq.exeSKZkmTvvk0vKW6vBjCG5uQIc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SKZkmTvvk0vKW6vBjCG5uQIc.exe

Downloads MZ/PE file

Executes dropped EXE 24 IoCs

Processes:

real.exeF0geI.exenamdoitntn.exeromb_ro.exesafert44.exetag.exeffnameedit.exekukurzka9000.exenamdoitntn.exeg3rgg.exejshainx.exeme.exeav_i0LphtcmrgDd11XbSkaDr.exeSKZkmTvvk0vKW6vBjCG5uQIc.exeKnCRPa9kAFQ1SkJRQoAuVR3U.exePNK2qDH4B2zHtjEFakizB6zN.exelrPtX_Gb8SH8OaXKghIOS0Xq.exeXTGb5xqUE7UViv5WwvlYAe5l.exeyml5SKBWTGTUqrtSKFtAXPTf.exeqTRyj3Z4uOtMFbVGJ35FPke5.exefItcJPCWHWEnhZxJU7_gA0lr.exe1K4dGgD18_IpnoAhp7irlCBO.exeyml5SKBWTGTUqrtSKFtAXPTf.exeCJkUoqm7lbZvg7RaRm4RatIe.exe

pid	process
1108	real.exe
1928	F0geI.exe
1796	namdoitntn.exe
1052	romb_ro.exe
1368	safert44.exe
1352	tag.exe
1496	ffnameedit.exe
1884	kukurzka9000.exe
692	namdoitntn.exe
972	g3rgg.exe
1604	jshainx.exe
1648	me.exe
3432	av_i0LphtcmrgDd11XbSkaDr.exe
3516	SKZkmTvvk0vKW6vBjCG5uQIc.exe
3424	KnCRPa9kAFQ1SkJRQoAuVR3U.exe
3828	PNK2qDH4B2zHtjEFakizB6zN.exe
2956	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
2908	XTGb5xqUE7UViv5WwvlYAe5l.exe
2244	yml5SKBWTGTUqrtSKFtAXPTf.exe
2392	qTRyj3Z4uOtMFbVGJ35FPke5.exe
3760	fItcJPCWHWEnhZxJU7_gA0lr.exe
2372	1K4dGgD18_IpnoAhp7irlCBO.exe
5128	yml5SKBWTGTUqrtSKFtAXPTf.exe
178352	CJkUoqm7lbZvg7RaRm4RatIe.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\fItcJPCWHWEnhZxJU7_gA0lr.exe	vmprotect
\Users\Admin\Pictures\Adobe Films\fItcJPCWHWEnhZxJU7_gA0lr.exe	vmprotect
behavioral1/memory/3760-182-0x0000000140000000-0x0000000140606000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

lrPtX_Gb8SH8OaXKghIOS0Xq.exeSKZkmTvvk0vKW6vBjCG5uQIc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SKZkmTvvk0vKW6vBjCG5uQIc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SKZkmTvvk0vKW6vBjCG5uQIc.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

g3rgg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation g3rgg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	g3rgg.exe

Loads dropped DLL 35 IoCs

Processes:

1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exeg3rgg.exeWerFault.exeXTGb5xqUE7UViv5WwvlYAe5l.exe

pid	process
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
392	WerFault.exe
392	WerFault.exe
392	WerFault.exe
2908	XTGb5xqUE7UViv5WwvlYAe5l.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\SKZkmTvvk0vKW6vBjCG5uQIc.exe	themida
\Users\Admin\Pictures\Adobe Films\av_i0LphtcmrgDd11XbSkaDr.exe	themida
C:\Users\Admin\Pictures\Adobe Films\av_i0LphtcmrgDd11XbSkaDr.exe	themida
\Users\Admin\Pictures\Adobe Films\lrPtX_Gb8SH8OaXKghIOS0Xq.exe	themida
behavioral1/memory/3432-176-0x0000000000400000-0x0000000000BBD000-memory.dmp	themida
behavioral1/memory/2956-178-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral1/memory/3516-180-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral1/memory/2956-183-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral1/memory/2956-185-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral1/memory/3516-186-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral1/memory/2956-188-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral1/memory/3516-189-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral1/memory/3516-191-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida
behavioral1/memory/2956-216-0x0000000000400000-0x0000000000C05000-memory.dmp	themida
behavioral1/memory/3516-219-0x0000000000400000-0x0000000000BB6000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

lrPtX_Gb8SH8OaXKghIOS0Xq.exeSKZkmTvvk0vKW6vBjCG5uQIc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SKZkmTvvk0vKW6vBjCG5uQIc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

283 ipinfo.io
284 ipinfo.io
300 api.2ip.ua
302 api.2ip.ua
139 ipinfo.io
140 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

lrPtX_Gb8SH8OaXKghIOS0Xq.exeSKZkmTvvk0vKW6vBjCG5uQIc.exe

pid process

2956 lrPtX_Gb8SH8OaXKghIOS0Xq.exe
3516 SKZkmTvvk0vKW6vBjCG5uQIc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

yml5SKBWTGTUqrtSKFtAXPTf.exe

description pid process target process

PID 2244 set thread context of 5128 2244 yml5SKBWTGTUqrtSKFtAXPTf.exe yml5SKBWTGTUqrtSKFtAXPTf.exe

flow	ioc
283	ipinfo.io
284	ipinfo.io
300	api.2ip.ua
302	api.2ip.ua
139	ipinfo.io
140	ipinfo.io

pid	process
2956	lrPtX_Gb8SH8OaXKghIOS0Xq.exe
3516	SKZkmTvvk0vKW6vBjCG5uQIc.exe

description	pid	process	target process
PID 2244 set thread context of 5128	2244	yml5SKBWTGTUqrtSKFtAXPTf.exe	yml5SKBWTGTUqrtSKFtAXPTf.exe

Drops file in Program Files directory 13 IoCs

Processes:

1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exeXTGb5xqUE7UViv5WwvlYAe5l.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\romb_ro.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\me.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XTGb5xqUE7UViv5WwvlYAe5l.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\tag.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\g3rgg.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jshainx.exe	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XTGb5xqUE7UViv5WwvlYAe5l.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

392 3760 WerFault.exe fItcJPCWHWEnhZxJU7_gA0lr.exe

pid	pid_target	process	target process
392	3760	WerFault.exe	fItcJPCWHWEnhZxJU7_gA0lr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

1K4dGgD18_IpnoAhp7irlCBO.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1K4dGgD18_IpnoAhp7irlCBO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1K4dGgD18_IpnoAhp7irlCBO.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1K4dGgD18_IpnoAhp7irlCBO.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

184704 schtasks.exe
184760 schtasks.exe

pid	process
184704	schtasks.exe
184760	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{714DF751-3908-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000061d440d9e1a21b0fa6b1385652ed7790ff42d1b4acf9addc9b302cd38290b492000000000e80000000020000200000000c7d2e40b7ab0ed6d3e6956c7fd8a50dbc3d1b4c29263077a76dac68076b7fec200000001d857045c45efce77f2d8628105777e16de991e2ef43bbba0026bf9c39d0903040000000c3bf610c1d96c809261ec160b83e02453de38d4a609c07e8377654c5582dddf5457d0f2f80a0554153e887066fb8648c0f03428ba26daa5762ef4ecff7398061	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{714BBD01-3908-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7285CB71-3908-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72705F11-3908-11ED-8C11-42FEA5F7B9B2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

romb_ro.exeyml5SKBWTGTUqrtSKFtAXPTf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	romb_ro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	romb_ro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	romb_ro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	yml5SKBWTGTUqrtSKFtAXPTf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	romb_ro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	romb_ro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	romb_ro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	yml5SKBWTGTUqrtSKFtAXPTf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	yml5SKBWTGTUqrtSKFtAXPTf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

g3rgg.exe

pid	process
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe
972	g3rgg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1K4dGgD18_IpnoAhp7irlCBO.exe

pid process

2372 1K4dGgD18_IpnoAhp7irlCBO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SKZkmTvvk0vKW6vBjCG5uQIc.exe

description pid process

Token: SeDebugPrivilege 3516 SKZkmTvvk0vKW6vBjCG5uQIc.exe

pid	process
2372	1K4dGgD18_IpnoAhp7irlCBO.exe

description	pid	process
Token: SeDebugPrivilege	3516	SKZkmTvvk0vKW6vBjCG5uQIc.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
1776	iexplore.exe
1060	iexplore.exe
1936	iexplore.exe
1956	iexplore.exe
840	iexplore.exe
1552	iexplore.exe
1596	iexplore.exe
1868	iexplore.exe
1408	iexplore.exe
856	iexplore.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1776	iexplore.exe
1776	iexplore.exe
1868	iexplore.exe
1868	iexplore.exe
1552	iexplore.exe
1552	iexplore.exe
1936	iexplore.exe
1936	iexplore.exe
840	iexplore.exe
840	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
856	iexplore.exe
856	iexplore.exe
1408	iexplore.exe
1408	iexplore.exe
1956	iexplore.exe
1956	iexplore.exe
1060	iexplore.exe
1060	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2480	IEXPLORE.EXE
2440	IEXPLORE.EXE
2480	IEXPLORE.EXE
2440	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe

description	pid	process	target process
PID 1720 wrote to memory of 1776	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1776	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1776	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1776	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1868	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1868	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1868	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1868	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1956	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1956	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1956	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1956	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1408	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1408	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1408	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1408	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1936	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1936	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1936	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1936	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 856	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 856	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 856	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 856	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 840	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 840	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 840	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 840	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	iexplore.exe
PID 1720 wrote to memory of 1108	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	real.exe
PID 1720 wrote to memory of 1108	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	real.exe
PID 1720 wrote to memory of 1108	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	real.exe
PID 1720 wrote to memory of 1108	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	real.exe
PID 1720 wrote to memory of 1928	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	F0geI.exe
PID 1720 wrote to memory of 1928	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	F0geI.exe
PID 1720 wrote to memory of 1928	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	F0geI.exe
PID 1720 wrote to memory of 1928	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	F0geI.exe
PID 1720 wrote to memory of 1796	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 1796	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 1796	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 1796	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 1052	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	romb_ro.exe
PID 1720 wrote to memory of 1052	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	romb_ro.exe
PID 1720 wrote to memory of 1052	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	romb_ro.exe
PID 1720 wrote to memory of 1052	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	romb_ro.exe
PID 1720 wrote to memory of 1368	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	safert44.exe
PID 1720 wrote to memory of 1368	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	safert44.exe
PID 1720 wrote to memory of 1368	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	safert44.exe
PID 1720 wrote to memory of 1368	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	safert44.exe
PID 1720 wrote to memory of 1352	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	tag.exe
PID 1720 wrote to memory of 1352	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	tag.exe
PID 1720 wrote to memory of 1352	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	tag.exe
PID 1720 wrote to memory of 1352	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	tag.exe
PID 1720 wrote to memory of 1884	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	kukurzka9000.exe
PID 1720 wrote to memory of 1884	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	kukurzka9000.exe
PID 1720 wrote to memory of 1884	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	kukurzka9000.exe
PID 1720 wrote to memory of 1884	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	kukurzka9000.exe
PID 1720 wrote to memory of 1496	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	ffnameedit.exe
PID 1720 wrote to memory of 1496	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	ffnameedit.exe
PID 1720 wrote to memory of 1496	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	ffnameedit.exe
PID 1720 wrote to memory of 1496	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	ffnameedit.exe
PID 1720 wrote to memory of 692	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 692	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 692	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe
PID 1720 wrote to memory of 692	1720	1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe	namdoitntn.exe

C:\Users\Admin\AppData\Local\Temp\1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe
"C:\Users\Admin\AppData\Local\Temp\1d4954ca060b4eaec6ae327a5c7ab379ea6892b591858d0d03de67ccd87de996.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1n7LH4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275458 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RchC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:840 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
2⤵
- Executes dropped EXE
PID:1108

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
2⤵
- Executes dropped EXE
PID:1928

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
PID:1796

C:\Program Files (x86)\Company\NewProduct\romb_ro.exe
"C:\Program Files (x86)\Company\NewProduct\romb_ro.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1052

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
2⤵
- Executes dropped EXE
PID:1368

C:\Program Files (x86)\Company\NewProduct\tag.exe
"C:\Program Files (x86)\Company\NewProduct\tag.exe"
2⤵
- Executes dropped EXE
PID:1352

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
2⤵
- Executes dropped EXE
PID:1884

C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe
"C:\Program Files (x86)\Company\NewProduct\ffnameedit.exe"
2⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
2⤵
- Executes dropped EXE
PID:692

C:\Program Files (x86)\Company\NewProduct\g3rgg.exe
"C:\Program Files (x86)\Company\NewProduct\g3rgg.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Users\Admin\Pictures\Adobe Films\fItcJPCWHWEnhZxJU7_gA0lr.exe
"C:\Users\Admin\Pictures\Adobe Films\fItcJPCWHWEnhZxJU7_gA0lr.exe"
3⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3760 -s 100
4⤵
- Loads dropped DLL
- Program crash
PID:392

C:\Users\Admin\Pictures\Adobe Films\SKZkmTvvk0vKW6vBjCG5uQIc.exe
"C:\Users\Admin\Pictures\Adobe Films\SKZkmTvvk0vKW6vBjCG5uQIc.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\Pictures\Adobe Films\av_i0LphtcmrgDd11XbSkaDr.exe
"C:\Users\Admin\Pictures\Adobe Films\av_i0LphtcmrgDd11XbSkaDr.exe"
3⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\Pictures\Adobe Films\KnCRPa9kAFQ1SkJRQoAuVR3U.exe
"C:\Users\Admin\Pictures\Adobe Films\KnCRPa9kAFQ1SkJRQoAuVR3U.exe"
3⤵
- Executes dropped EXE
PID:3424

C:\Users\Admin\Pictures\Adobe Films\PNK2qDH4B2zHtjEFakizB6zN.exe
"C:\Users\Admin\Pictures\Adobe Films\PNK2qDH4B2zHtjEFakizB6zN.exe"
3⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\Pictures\Adobe Films\lrPtX_Gb8SH8OaXKghIOS0Xq.exe
"C:\Users\Admin\Pictures\Adobe Films\lrPtX_Gb8SH8OaXKghIOS0Xq.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2956

C:\Users\Admin\Pictures\Adobe Films\qTRyj3Z4uOtMFbVGJ35FPke5.exe
"C:\Users\Admin\Pictures\Adobe Films\qTRyj3Z4uOtMFbVGJ35FPke5.exe"
3⤵
- Executes dropped EXE
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:184656

C:\Users\Admin\Pictures\Adobe Films\yml5SKBWTGTUqrtSKFtAXPTf.exe
"C:\Users\Admin\Pictures\Adobe Films\yml5SKBWTGTUqrtSKFtAXPTf.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2244

C:\Users\Admin\Pictures\Adobe Films\yml5SKBWTGTUqrtSKFtAXPTf.exe
"C:\Users\Admin\Pictures\Adobe Films\yml5SKBWTGTUqrtSKFtAXPTf.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5128

C:\Users\Admin\Pictures\Adobe Films\1K4dGgD18_IpnoAhp7irlCBO.exe
"C:\Users\Admin\Pictures\Adobe Films\1K4dGgD18_IpnoAhp7irlCBO.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2372

C:\Users\Admin\Pictures\Adobe Films\XTGb5xqUE7UViv5WwvlYAe5l.exe
"C:\Users\Admin\Pictures\Adobe Films\XTGb5xqUE7UViv5WwvlYAe5l.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2908

C:\Users\Admin\Documents\CJkUoqm7lbZvg7RaRm4RatIe.exe
"C:\Users\Admin\Documents\CJkUoqm7lbZvg7RaRm4RatIe.exe"
4⤵
- Executes dropped EXE
PID:178352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:184704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:184760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RqCC4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nNrK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Program Files (x86)\Company\NewProduct\jshainx.exe
"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"
2⤵
- Executes dropped EXE
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nzwK4
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Program Files (x86)\Company\NewProduct\me.exe
"C:\Program Files (x86)\Company\NewProduct\me.exe"
2⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery