glupteba | ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Windows security bypass 2 TTPs 10 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\44a9DTC2juXKXXN1UzfStvYO.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe = "0"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	44a9DTC2juXKXXN1UzfStvYO.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2844	bcdedit.exe
2056	bcdedit.exe
1112	bcdedit.exe
1548	bcdedit.exe
312	bcdedit.exe
1744	bcdedit.exe
1960	bcdedit.exe
1652	bcdedit.exe
1484	bcdedit.exe
752	bcdedit.exe
1144	bcdedit.exe
1524	bcdedit.exe
2000	bcdedit.exe
2140	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2516	netsh.exe
2424	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qBnvgDSGIWNNYWkQycaHVHv4.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cwrIYrGiQtLwHcJDzlp78yO3.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YxnIT5KJfLvDqw0XgtmjKskN.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z95Fte23Ss5sJy3O2LAJQjT3.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CtPuOj9GvLPwnkytpY3M1Aar.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD8Sm2gKzFzbf0UkKldxC2sD.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LDvyXqtSB6RYjDZR3q3mPP1E.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wOaaGQZQ2sAGdR8mQPTKFZS5.bat	InstallUtil.exe

Executes dropped EXE 17 IoCs

pid	Process
2172	MbUjeOZ73F7OhVaaBNfBU4aX.exe
2900	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
1516	jt5z7FgliaYvB5ifrWDc1rJL.exe
1524	44a9DTC2juXKXXN1UzfStvYO.exe
1484	UimZiAJPVK1OjEUmnE8FVbQ3.exe
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2660	kphonelib.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1924	kphonelib.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
3048	csrss.exe
2656	patch.exe
2672	injector.exe
2108	dsefix.exe
2268	windefender.exe
2860	windefender.exe

Loads dropped DLL 33 IoCs

pid	Process
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
2828	InstallUtil.exe
1484	UimZiAJPVK1OjEUmnE8FVbQ3.exe
1516	jt5z7FgliaYvB5ifrWDc1rJL.exe
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp
2828	InstallUtil.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1484	UimZiAJPVK1OjEUmnE8FVbQ3.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
848	Process not Found
2656	patch.exe
2656	patch.exe
2656	patch.exe
2656	patch.exe
2656	patch.exe
3048	csrss.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
2656	patch.exe
2656	patch.exe
2656	patch.exe
3048	csrss.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001753f-115.dat	upx
behavioral1/files/0x000600000001753f-119.dat	upx
behavioral1/files/0x000600000001753f-116.dat	upx
behavioral1/memory/1484-125-0x0000000000210000-0x0000000000738000-memory.dmp	upx
behavioral1/memory/1484-346-0x0000000000210000-0x0000000000738000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-714.dat	upx
behavioral1/memory/2268-716-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000004ed7-717.dat	upx
behavioral1/memory/2860-719-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2268-721-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2860-735-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 11 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe = "0"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\44a9DTC2juXKXXN1UzfStvYO.exe = "0"	44a9DTC2juXKXXN1UzfStvYO.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	44a9DTC2juXKXXN1UzfStvYO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 2172 set thread context of 1664	2172	MbUjeOZ73F7OhVaaBNfBU4aX.exe	54

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
File opened (read-only)	\??\VBoxMiniRdrDN	44a9DTC2juXKXXN1UzfStvYO.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-NPVK5.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Estonian.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\iSink.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring2.mp3	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-HTBG4.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\KPhoneLib\stuff\is-7J7L4.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File opened for modification	C:\Program Files (x86)\KPhoneLib\unins000.dat	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AquaB.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Kirchenuhr.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\English.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyClock.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Turkce.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\GroenneKugler.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-NGK0L.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Indonesian.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\iSink.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2minute.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-K4ABV.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-hour.hpng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\MClkminHand.hpng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Negro.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-3Q5KN.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-7196V.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Suomi.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua_Apple_Clock.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\UniversalAccessClock.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Greek.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Citizen.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\MilkClock.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\weemsplath.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-42VMO.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-KP5P7.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Arabic.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Adler.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockIce.bmp	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyMouse.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Nvidia.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\uninst.exe	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-L9H90.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Polish.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Thai.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-IGA8L.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\GroenneKugler.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-3ME0O.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\KPhoneLib\bin\x86\is-UQ0R3.tmp	jt5z7FgliaYvB5ifrWDc1rJL.tmp
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.png	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Program Files (x86)\ClocX\Presets\Holzuhr.png	ddDytu91Ba5WLM6th5clz2WM.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
File created	C:\Windows\rss\csrss.exe	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\servicing\Editions\libzmq.dll	ddDytu91Ba5WLM6th5clz2WM.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231217223540.cab	makecab.exe
File opened for modification	C:\Windows\rss	44a9DTC2juXKXXN1UzfStvYO.exe
File created	C:\Windows\rss\csrss.exe	44a9DTC2juXKXXN1UzfStvYO.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2196	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a3f8-279.dat	nsis_installer_1
behavioral1/files/0x000500000001a3f8-279.dat	nsis_installer_2
behavioral1/files/0x000500000001a3f8-277.dat	nsis_installer_1
behavioral1/files/0x000500000001a3f8-277.dat	nsis_installer_2
behavioral1/files/0x000500000001a3f8-280.dat	nsis_installer_1
behavioral1/files/0x000500000001a3f8-280.dat	nsis_installer_2
behavioral1/files/0x000500000001a3f8-281.dat	nsis_installer_1
behavioral1/files/0x000500000001a3f8-281.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2916	schtasks.exe
280	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Windows\\servicing\\Editions\\libzmq.dll"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}"	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}	ddDytu91Ba5WLM6th5clz2WM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}	ddDytu91Ba5WLM6th5clz2WM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}"	ddDytu91Ba5WLM6th5clz2WM.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
2480	powershell.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
1920	ddDytu91Ba5WLM6th5clz2WM.exe
2900	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
1524	44a9DTC2juXKXXN1UzfStvYO.exe
1524	44a9DTC2juXKXXN1UzfStvYO.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
2196	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
1352	44a9DTC2juXKXXN1UzfStvYO.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe
2672	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Token: SeDebugPrivilege	2828	InstallUtil.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2900	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Token: SeImpersonatePrivilege	2900	3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
Token: SeDebugPrivilege	1524	44a9DTC2juXKXXN1UzfStvYO.exe
Token: SeImpersonatePrivilege	1524	44a9DTC2juXKXXN1UzfStvYO.exe
Token: SeDebugPrivilege	1524	44a9DTC2juXKXXN1UzfStvYO.exe
Token: SeImpersonatePrivilege	1524	44a9DTC2juXKXXN1UzfStvYO.exe
Token: SeSystemEnvironmentPrivilege	3048	csrss.exe
Token: SeSecurityPrivilege	2196	sc.exe
Token: SeSecurityPrivilege	2196	sc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2480	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 1320 wrote to memory of 2480	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 1320 wrote to memory of 2480	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 1320 wrote to memory of 2480	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 1320 wrote to memory of 2732	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 1320 wrote to memory of 2732	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 1320 wrote to memory of 2732	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 1320 wrote to memory of 2732	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 1320 wrote to memory of 2752	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	31
PID 1320 wrote to memory of 2752	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	31
PID 1320 wrote to memory of 2752	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	31
PID 1320 wrote to memory of 2752	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	31
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 1320 wrote to memory of 2828	1320	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	32
PID 2828 wrote to memory of 2172	2828	InstallUtil.exe	33
PID 2828 wrote to memory of 2172	2828	InstallUtil.exe	33
PID 2828 wrote to memory of 2172	2828	InstallUtil.exe	33
PID 2828 wrote to memory of 2172	2828	InstallUtil.exe	33
PID 2828 wrote to memory of 2900	2828	InstallUtil.exe	34
PID 2828 wrote to memory of 2900	2828	InstallUtil.exe	34
PID 2828 wrote to memory of 2900	2828	InstallUtil.exe	34
PID 2828 wrote to memory of 2900	2828	InstallUtil.exe	34
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1516	2828	InstallUtil.exe	35
PID 2828 wrote to memory of 1524	2828	InstallUtil.exe	36
PID 2828 wrote to memory of 1524	2828	InstallUtil.exe	36
PID 2828 wrote to memory of 1524	2828	InstallUtil.exe	36
PID 2828 wrote to memory of 1524	2828	InstallUtil.exe	36
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 2828 wrote to memory of 1484	2828	InstallUtil.exe	37
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 1516 wrote to memory of 2976	1516	jt5z7FgliaYvB5ifrWDc1rJL.exe	38
PID 2976 wrote to memory of 2596	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	42
PID 2976 wrote to memory of 2596	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	42
PID 2976 wrote to memory of 2596	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	42
PID 2976 wrote to memory of 2596	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	42
PID 2976 wrote to memory of 2660	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	41
PID 2976 wrote to memory of 2660	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	41
PID 2976 wrote to memory of 2660	2976	jt5z7FgliaYvB5ifrWDc1rJL.tmp	41

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\Pictures\MbUjeOZ73F7OhVaaBNfBU4aX.exe
    "C:\Users\Admin\Pictures\MbUjeOZ73F7OhVaaBNfBU4aX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1664
- - C:\Users\Admin\Pictures\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
    "C:\Users\Admin\Pictures\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
  - - C:\Users\Admin\Pictures\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe
      "C:\Users\Admin\Pictures\3HJk5Rtgz9Z8AIy5RAlnPyhK.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1336
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2424
- - C:\Users\Admin\Pictures\jt5z7FgliaYvB5ifrWDc1rJL.exe
    "C:\Users\Admin\Pictures\jt5z7FgliaYvB5ifrWDc1rJL.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\is-94OQ3.tmp\jt5z7FgliaYvB5ifrWDc1rJL.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-94OQ3.tmp\jt5z7FgliaYvB5ifrWDc1rJL.tmp" /SL5="$8012C,6500912,54272,C:\Users\Admin\Pictures\jt5z7FgliaYvB5ifrWDc1rJL.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Program Files (x86)\KPhoneLib\kphonelib.exe
        
        "C:\Program Files (x86)\KPhoneLib\kphonelib.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:2660
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 17
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 17
        6⤵
        
        PID:2648
    - - C:\Program Files (x86)\KPhoneLib\kphonelib.exe
        
        "C:\Program Files (x86)\KPhoneLib\kphonelib.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:1924
- - C:\Users\Admin\Pictures\44a9DTC2juXKXXN1UzfStvYO.exe
    "C:\Users\Admin\Pictures\44a9DTC2juXKXXN1UzfStvYO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
  - - C:\Users\Admin\Pictures\44a9DTC2juXKXXN1UzfStvYO.exe
      "C:\Users\Admin\Pictures\44a9DTC2juXKXXN1UzfStvYO.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1828
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2516
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1856
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2656
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2844
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2056
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1112
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1548
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:312
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1744
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1960
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1652
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1484
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:752
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1144
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1524
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:2108
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:280
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
- - C:\Users\Admin\Pictures\UimZiAJPVK1OjEUmnE8FVbQ3.exe
    "C:\Users\Admin\Pictures\UimZiAJPVK1OjEUmnE8FVbQ3.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1484
- - C:\Users\Admin\Pictures\ddDytu91Ba5WLM6th5clz2WM.exe
    "C:\Users\Admin\Pictures\ddDytu91Ba5WLM6th5clz2WM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1920

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231217223540.log C:\Windows\Logs\CBS\CbsPersist_20231217223540.cab
1⤵
- Drops file in Windows directory
PID:2668

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry