f99e60e6baac68914020726d270c5d0da9597c9341e8bc6f50dd7436dac8bf64

System Information Discovery

Processes:

draw.io.exedraw.io.exeQuick_Driver_Updater.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	draw.io.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	draw.io.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Quick_Driver_Updater.tmp

Loads dropped DLL 17 IoCs

Processes:

draw.io-13.9.9-windows-installer.exedraw.io.exedraw.io.exedraw.io.exedraw.io.exe

pid	Process
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1360	draw.io.exe
4740	draw.io.exe
2372	draw.io.exe
3688	draw.io.exe
4740	draw.io.exe
4740	draw.io.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1684A3C0-82BD-46C6-9D9D-1F5EEC9A31CC}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{FB243E1E-8F8E-4F60-9A01-9F2CF06507F3}.catalogItem	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

draw.io-13.9.9-windows-installer.exeQuick_Driver_Updater.tmp

description	ioc	Process
File created	C:\Program Files\draw.io\locales\fi.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\fil.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\hu.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\chrome_100_percent.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\ar.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\Quick Driver Updater\x64\SQLite.Interop.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\draw.io\locales\hi.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\swiftshader\libGLESv2.dll	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\Quick Driver Updater\WPFToolkit.dll	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-RDKSQ.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-LQGRP.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\draw.io\chrome_100_percent.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\bn.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\lt.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\lv.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\ml.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\Quick Driver Updater\is-8IJQD.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\draw.io\locales\fr.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\he.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\lt.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\zh-CN.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\bg.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\Quick Driver Updater\is-3ESC3.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-BBK4G.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\draw.io\resources\app.asar	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\Quick Driver Updater\is-IFOIN.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\draw.io\locales\da.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\da.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ml.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\Quick Driver Updater\qdu.exe	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\Quick Driver Updater\Newtonsoft.Json.dll	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\draw.io\locales\am.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\en-US.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\fr.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\mr.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\pl.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\hi.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\nb.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\Quick Driver Updater\is-1AD23.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\is-4C9O0.tmp	Quick_Driver_Updater.tmp
File created	C:\Program Files\Quick Driver Updater\langs\is-LQLBD.tmp	Quick_Driver_Updater.tmp
File opened for modification	C:\Program Files\draw.io\swiftshader\libGLESv2.dll	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ko.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\tr.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\es-419.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\es.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\bn.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\fa.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\pt-BR.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\sw.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\vi.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\hr.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\locales\te.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\es-419.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ms.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ro.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\libEGL.dll	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\zh-TW.pak	draw.io-13.9.9-windows-installer.exe
File created	C:\Program Files\draw.io\draw.io.exe	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\he.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ca.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\locales\ru.pak	draw.io-13.9.9-windows-installer.exe
File opened for modification	C:\Program Files\draw.io\ffmpeg.dll	draw.io-13.9.9-windows-installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exe

pid	Process
4720	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
3680	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Draw.io _caMQZ.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Draw.io _caMQZ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Draw.io _caMQZ.exe = "11000"	Draw.io _caMQZ.exe

Modifies registry class 26 IoCs

Processes:

draw.io-13.9.9-windows-installer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\draw.io Diagram\DefaultIcon	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsdx\ = "VSDX Document"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VSDX Document\DefaultIcon	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.drawio\ = "draw.io Diagram"	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\draw.io Diagram\DefaultIcon\ = "C:\\Program Files\\draw.io\\draw.io.exe,0"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\draw.io Diagram\shell	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vsdx	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSDX Document\DefaultIcon\ = "C:\\Program Files\\draw.io\\draw.io.exe,0"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VSDX Document\shell\open	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSDX Document\shell\open\ = "Open with draw.io"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VSDX Document\shell\open\command	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\draw.io Diagram\ = "draw.io Diagram"	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\draw.io Diagram\shell\open\ = "Open with draw.io"	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsdx\VSDX Document_backup = "VisioViewer.Viewer"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VSDX Document	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSDX Document\ = "VSDX Document"	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSDX Document\shell\ = "open"	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VSDX Document\shell\open\command\ = "C:\\Program Files\\draw.io\\draw.io.exe \"%1\""	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\draw.io Diagram	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.drawio\draw.io Diagram_backup	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\draw.io Diagram\shell\ = "open"	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\draw.io Diagram\shell\open	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\draw.io Diagram\shell\open\command	draw.io-13.9.9-windows-installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\draw.io Diagram\shell\open\command\ = "C:\\Program Files\\draw.io\\draw.io.exe \"%1\""	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VSDX Document\shell	draw.io-13.9.9-windows-installer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.drawio	draw.io-13.9.9-windows-installer.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

qdu.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	qdu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	qdu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	qdu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	qdu.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Draw.io _caMQZ.exeQuick_Driver_Updater.tmpdraw.io-13.9.9-windows-installer.exedraw.io.exedraw.io.exe

pid	Process
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe
1544	Quick_Driver_Updater.tmp
1544	Quick_Driver_Updater.tmp
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
1956	draw.io-13.9.9-windows-installer.exe
2372	draw.io.exe
2372	draw.io.exe
3688	draw.io.exe
3688	draw.io.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exedraw.io-13.9.9-windows-installer.exeqdu.exe

description	pid	Process
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeSecurityPrivilege	1956	draw.io-13.9.9-windows-installer.exe
Token: SeDebugPrivilege	4308	qdu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Quick_Driver_Updater.tmp

pid	Process
1544	Quick_Driver_Updater.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Draw.io _caMQZ.exe

pid	Process
3232	Draw.io _caMQZ.exe
3232	Draw.io _caMQZ.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Draw.io _caMQZ.exeQuick_Driver_Updater.exeQuick_Driver_Updater.tmpdraw.io.exe

description	pid	Process	procid_target
PID 3232 wrote to memory of 1072	3232	Draw.io _caMQZ.exe	95
PID 3232 wrote to memory of 1072	3232	Draw.io _caMQZ.exe	95
PID 3232 wrote to memory of 1072	3232	Draw.io _caMQZ.exe	95
PID 1072 wrote to memory of 1544	1072	Quick_Driver_Updater.exe	96
PID 1072 wrote to memory of 1544	1072	Quick_Driver_Updater.exe	96
PID 1072 wrote to memory of 1544	1072	Quick_Driver_Updater.exe	96
PID 3232 wrote to memory of 1956	3232	Draw.io _caMQZ.exe	97
PID 3232 wrote to memory of 1956	3232	Draw.io _caMQZ.exe	97
PID 3232 wrote to memory of 1956	3232	Draw.io _caMQZ.exe	97
PID 1544 wrote to memory of 4540	1544	Quick_Driver_Updater.tmp	98
PID 1544 wrote to memory of 4540	1544	Quick_Driver_Updater.tmp	98
PID 1544 wrote to memory of 4540	1544	Quick_Driver_Updater.tmp	98
PID 1544 wrote to memory of 3680	1544	Quick_Driver_Updater.tmp	100
PID 1544 wrote to memory of 3680	1544	Quick_Driver_Updater.tmp	100
PID 1544 wrote to memory of 3680	1544	Quick_Driver_Updater.tmp	100
PID 1544 wrote to memory of 4720	1544	Quick_Driver_Updater.tmp	103
PID 1544 wrote to memory of 4720	1544	Quick_Driver_Updater.tmp	103
PID 1544 wrote to memory of 4308	1544	Quick_Driver_Updater.tmp	105
PID 1544 wrote to memory of 4308	1544	Quick_Driver_Updater.tmp	105
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 4740	1360	draw.io.exe	110
PID 1360 wrote to memory of 2372	1360	draw.io.exe	111
PID 1360 wrote to memory of 2372	1360	draw.io.exe	111
PID 1360 wrote to memory of 3688	1360	draw.io.exe	112
PID 1360 wrote to memory of 3688	1360	draw.io.exe	112

C:\Users\Admin\AppData\Local\Temp\Draw.io _caMQZ.exe
"C:\Users\Admin\AppData\Local\Temp\Draw.io _caMQZ.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_410182022109245055287816\Quick_Driver_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_410182022109245055287816\Quick_Driver_Updater.exe" /verysilent /ppi=1 /ppinag=1 /ddtime=500 /delay=5 /source=sftqdu1 /pixel=SFT5696_SFT5567_RUNT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\is-JQRPI.tmp\Quick_Driver_Updater.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JQRPI.tmp\Quick_Driver_Updater.tmp" /SL5="$30202,5773230,1034240,C:\Users\Admin\AppData\Local\Temp\Quick_Driver_Updater_exe_410182022109245055287816\Quick_Driver_Updater.exe" /verysilent /ppi=1 /ppinag=1 /ddtime=500 /delay=5 /source=sftqdu1 /pixel=SFT5696_SFT5567_RUNT
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /tn "Quick Driver Updater_launcher" /f
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im "qdu.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /Create /F /RL Highest /SC ONCE /st 00:00 /TN "Quick Driver Updater skipuac" /TR "'C:\Program Files\Quick Driver Updater\qdu.exe'"
      4⤵
      Creates scheduled task(s)
      PID:4720
  - - C:\Program Files\Quick Driver Updater\qdu.exe
      "C:\Program Files\Quick Driver Updater\qdu.exe" cntryphnno
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Program Files\Quick Driver Updater\qdu.exe
      "C:\Program Files\Quick Driver Updater\qdu.exe" silentlnch
      4⤵
      PID:3644
- C:\Users\Admin\AppData\Local\Temp\draw_io-13_9_9-windows-installer_exe_210182022109191406136285\draw.io-13.9.9-windows-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\draw_io-13_9_9-windows-installer_exe_210182022109191406136285\draw.io-13.9.9-windows-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3816

C:\Program Files\draw.io\draw.io.exe
"C:\Program Files\draw.io\draw.io.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files\draw.io\draw.io.exe
  "C:\Program Files\draw.io\draw.io.exe" --type=gpu-process --field-trial-handle=1600,2396087647627452588,12912770997049205573,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1608 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4740
- C:\Program Files\draw.io\draw.io.exe
  "C:\Program Files\draw.io\draw.io.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,2396087647627452588,12912770997049205573,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1956 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Program Files\draw.io\draw.io.exe
  "C:\Program Files\draw.io\draw.io.exe" --type=renderer --field-trial-handle=1600,2396087647627452588,12912770997049205573,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Program Files\draw.io\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery