f1da9552e6838feb549c6bb53f9d22d761c1c9446a86240dce31b1c10679df41

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ot.exe
Size

77.3MB
MD5

404aa3969362eb3eff49f02a22ac14bb
SHA1

f60cc73a43cff70ec5386345793fc45406c6962d
SHA256

f1da9552e6838feb549c6bb53f9d22d761c1c9446a86240dce31b1c10679df41
SHA512

3c447cc169b4aaed98575d8413a99cadf600cc9810d0eabb757d219c1538d000b6edd99ee7383a558147d02b4e2a794b2b9cba753813256cd279e4bcd5e0b1d4
SSDEEP

1572864:ycycjLk0uYgZAI+pcl2H5kYPc+miieYVThk7V63QoMEJ:yPxXYuR+phOYPc+hiP3iV6AoF

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4916	tapinstall.exe

Loads dropped DLL 12 IoCs

pid	Process
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B16.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B15.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B15.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B16.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B14.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\SET8B14.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\oemvista.inf	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\sv.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\libEGL.dll	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\da.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ca.lproj\MobileDeviceUpdateController.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\hi.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\hu.lproj\InfoPlist.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ru.lproj	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ru.lproj\Localizable.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\zh_HK.lproj	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\cs.lproj	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\src\ios-deploy-tests	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\cs.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ar.lproj\MobileDeviceUpdateController.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\el.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\es.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\locales\ja.pak	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\pt_BR.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\tr.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ko.lproj\MainMenu.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\build\ios-deploy.build\Release	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\demo\Entitlements.plist	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\AppleMobileSync.app\Contents\Info.plist	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\de.lproj	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\pt_BR.lproj	ot.exe
File created	C:\Program Files (x86)\Outline\tap-windows6\OemVista.inf	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\cs.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\es.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\vi.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\ffmpeg.dll	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\en_GB.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\fi.lproj\InfoPlist.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\es.lproj\MobileDeviceUpdateController.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\fr.lproj\Localizable.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\uk.lproj	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\ja.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\nl.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\locales\he.pak	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ko.lproj	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\pt_BR.lproj\Localizable.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\ro.lproj	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ja.lproj	ot.exe
File created	C:\Program Files (x86)\Outline\locales\sr.pak	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\da.lproj\MobileDeviceUpdateController.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\hr.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\vi.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\build\Release\ios-deploy	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\AppleMobileSync.app\Contents\_CodeSignature	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\hu.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\it.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ms.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\ca.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\he.lproj\InfoPlist.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\he.lproj\MobileDeviceUpdateController.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\zh_TW.lproj\Localizable.strings	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\el.lproj\MobileDeviceUpdateController.strings	ot.exe
File opened for modification	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\build\Release\ios-deploy.dSYM\Contents	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\src\ios-deploy\lldb.py.h	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Resources	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\_Frameworks\MobileDevice.framework\Versions\A\Resources\MobileDeviceUpdater.app\Contents\Resources\de.lproj\MainMenu.strings	ot.exe
File created	C:\Program Files (x86)\Outline\Newtonsoft.Json.dll	ot.exe
File created	C:\Program Files (x86)\Outline\libGLESv2.dll	ot.exe
File created	C:\Program Files (x86)\Outline\resources\app.asar.unpacked\node_modules\ios-deploy\build\XCBuildData\5877d66c6ca910f1649e8db7c668ba42-manifest.xcbuild	ot.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe
1260	ot.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1260	ot.exe
Token: SeAuditPrivilege	3988	svchost.exe
Token: SeSecurityPrivilege	3988	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3588	1260	ot.exe	84
PID 1260 wrote to memory of 3588	1260	ot.exe	84
PID 1260 wrote to memory of 3588	1260	ot.exe	84
PID 3588 wrote to memory of 3928	3588	net.exe	86
PID 3588 wrote to memory of 3928	3588	net.exe	86
PID 3588 wrote to memory of 3928	3588	net.exe	86
PID 1260 wrote to memory of 2540	1260	ot.exe	87
PID 1260 wrote to memory of 2540	1260	ot.exe	87
PID 1260 wrote to memory of 2540	1260	ot.exe	87
PID 2540 wrote to memory of 3948	2540	cmd.exe	89
PID 2540 wrote to memory of 3948	2540	cmd.exe	89
PID 2540 wrote to memory of 3948	2540	cmd.exe	89
PID 2540 wrote to memory of 4916	2540	cmd.exe	91
PID 2540 wrote to memory of 4916	2540	cmd.exe	91
PID 3988 wrote to memory of 2196	3988	svchost.exe	93
PID 3988 wrote to memory of 2196	3988	svchost.exe	93
PID 2196 wrote to memory of 3720	2196	DrvInst.exe	94
PID 2196 wrote to memory of 3720	2196	DrvInst.exe	94

C:\Users\Admin\AppData\Local\Temp\ot.exe
"C:\Users\Admin\AppData\Local\Temp\ot.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\net.exe
  net stop OutlineService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop OutlineService
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c add_tap_device.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\netsh.exe
    netsh interface show interface name=outline-tap0
    3⤵
    PID:3948
- - C:\Program Files (x86)\Outline\tap-windows6\tapinstall.exe
    tap-windows6\tapinstall install tap-windows6\OemVista.inf tap0901
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies system certificate store
    PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f93eb85f-d268-2846-9e7c-b1710ab771a3}\oemvista.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\program files (x86)\outline\tap-windows6"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{ebdf6067-5649-d346-9dad-e78c64a5fb62} Global\{b6f8e7fb-9ee8-dc46-8cc2-139b5182ebf7} C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\tap0901.cat
    3⤵
    - Modifies system certificate store
    PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Outline\add_tap_device.bat

Filesize
5KB

MD5
4a0f9ee182b115ac3411a92ff8f05fee

SHA1
03d3ad982761639c6186dc1f0aeff8ca40b77f75

SHA256
63d2244cb87521ca5dd5975052b5dc8301f6533cf91067b10c59cb678beb81ad

SHA512
92eb1e8022e7982b5ff56bd0c49be7943aaa2f0b60aba8bd4cc6e7ab3e7a49259e1cd4b46b8b76dd221b1a29e13e8a6b2cacee035a8b8bc2638246b8af951f14

Download Submit
C:\Program Files (x86)\Outline\tap-windows6\OemVista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\Outline\tap-windows6\tapinstall.exe

Filesize
99KB

MD5
33289e648328f3fd56501dd11c33c882

SHA1
195553c9e93b08dcc60708e8d8960aa33a41f835

SHA256
0e6ae4312a345b00e58329de41544f709021b24496ecb8ec8a06ae7ceab37ca9

SHA512
d9effe4b6c31edc0243c1bf4b91506188769ab0df5363e625abff55fad3a34b504d090dbbd42ccb77beea875b855f296d6ea49ff96ab4c0017ed42130c4a1fd3

Download Submit
C:\Program Files (x86)\Outline\tap-windows6\tapinstall.exe

Filesize
99KB

MD5
33289e648328f3fd56501dd11c33c882

SHA1
195553c9e93b08dcc60708e8d8960aa33a41f835

SHA256
0e6ae4312a345b00e58329de41544f709021b24496ecb8ec8a06ae7ceab37ca9

SHA512
d9effe4b6c31edc0243c1bf4b91506188769ab0df5363e625abff55fad3a34b504d090dbbd42ccb77beea875b855f296d6ea49ff96ab4c0017ed42130c4a1fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaE361.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F93EB~1\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F93EB~1\tap0901.sys

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{f93eb85f-d268-2846-9e7c-b1710ab771a3}\oemvista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\oemvista.inf

Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\Temp\{8708e159-ad2f-cc4e-96ef-c42172c5affa}\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\??\c:\PROGRA~2\outline\TAP-WI~1\tap0901.sys

Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\outline\tap-windows6\tap0901.cat

Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
memory/2196-155-0x0000000000000000-mapping.dmp

Download
memory/2540-146-0x0000000000000000-mapping.dmp

Download
memory/3588-143-0x0000000000000000-mapping.dmp

Download
memory/3720-159-0x0000000000000000-mapping.dmp

Download
memory/3928-144-0x0000000000000000-mapping.dmp

Download
memory/3948-148-0x0000000000000000-mapping.dmp

Download
memory/4916-149-0x0000000000000000-mapping.dmp

Download