asyncrat | d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\chromeupdate.exe	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3D51.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3D51.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3D51.exe

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1996	bcdedit.exe
1616	bcdedit.exe
1004	bcdedit.exe
2044	bcdedit.exe
2892	bcdedit.exe
2396	bcdedit.exe
2084	bcdedit.exe
756	bcdedit.exe
1916	bcdedit.exe
2752	bcdedit.exe
1280	bcdedit.exe
380	bcdedit.exe
676	bcdedit.exe
2536	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2064 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2064	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

3D51.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3D51.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3D51.exe

Executes dropped EXE 32 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exeInstallSetup9.exetoolspub1.exeBroomSetup.exensi600C.tmpd21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exepatch.exeinjector.exeBFD6.exeDB04.exeDB04.exeDB04.exeDB04.exedsefix.exebuild2.exebuild2.exebuild3.exe3075.exebuild3.exewindefender.exewindefender.exe3D51.exe4BA4.exe4BA4.tmp50A5.exepyobjserialization.exepyobjserialization.exeadasda.exechromeupdate.exemstsca.exemstsca.exe

pid	process
2016	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2900	InstallSetup9.exe
2704	toolspub1.exe
2964	BroomSetup.exe
580	nsi600C.tmp
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2324	csrss.exe
1284	patch.exe
2512	injector.exe
1200	BFD6.exe
2252	DB04.exe
2476	DB04.exe
1304	DB04.exe
1752	DB04.exe
596	dsefix.exe
2256	build2.exe
2648	build2.exe
2224	build3.exe
2724	3075.exe
2104	build3.exe
2628	windefender.exe
1112	windefender.exe
580	3D51.exe
2860	4BA4.exe
1756	4BA4.tmp
2732	50A5.exe
2960	pyobjserialization.exe
2556	pyobjserialization.exe
2700	adasda.exe
1540	chromeupdate.exe
2160	mstsca.exe
1340	mstsca.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3D51.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine 3D51.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Wine	3D51.exe

Loads dropped DLL 52 IoCs

Processes:

tmp.exeInstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.exepatch.execsrss.exe3D51.exeDB04.exeDB04.exeDB04.exeDB04.exeWerFault.exeWerFault.exe4BA4.exe4BA4.tmp50A5.exe

pid	process
2344	tmp.exe
2344	tmp.exe
2344	tmp.exe
2344	tmp.exe
2344	tmp.exe
2900	InstallSetup9.exe
2900	InstallSetup9.exe
2900	InstallSetup9.exe
2900	InstallSetup9.exe
2900	InstallSetup9.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
856
1284	patch.exe
1284	patch.exe
1284	patch.exe
1284	patch.exe
1284	patch.exe
2324	csrss.exe
580	3D51.exe
580	3D51.exe
2900	InstallSetup9.exe
2252	DB04.exe
2476	DB04.exe
2476	DB04.exe
1284	patch.exe
1284	patch.exe
1284	patch.exe
1304	DB04.exe
2324	csrss.exe
1752	DB04.exe
1752	DB04.exe
1752	DB04.exe
1752	DB04.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2244	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2944	WerFault.exe
2860	4BA4.exe
1756	4BA4.tmp
1756	4BA4.tmp
1756	4BA4.tmp
1756	4BA4.tmp
2732	50A5.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1696 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1696	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2628-532-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1112-551-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2628-554-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

csrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exeDB04.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f057d4e0-9012-42fc-b567-76e63c0a3d16\\DB04.exe\" --AutoStart"	DB04.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 api.2ip.ua
41 api.2ip.ua
55 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

3D51.exe

pid process

580 3D51.exe

flow	ioc
40	api.2ip.ua
41	api.2ip.ua
55	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
580	3D51.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

DB04.exeDB04.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 2252 set thread context of 2476	2252	DB04.exe	DB04.exe
PID 1304 set thread context of 1752	1304	DB04.exe	DB04.exe
PID 2256 set thread context of 2648	2256	build2.exe	build2.exe
PID 2224 set thread context of 2104	2224	build3.exe	build3.exe
PID 2160 set thread context of 1340	2160	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 5 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240202180327.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2040 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2244 2724 WerFault.exe 3075.exe
2944 2648 WerFault.exe build2.exe

pid	process
2040	sc.exe

pid	pid_target	process	target process
2244	2724	WerFault.exe	3075.exe
2944	2648	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

BFD6.exetoolspub1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFD6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFD6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BFD6.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

3D51.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3D51.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3D51.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1820 schtasks.exe
1528 schtasks.exe
2696 schtasks.exe
1044 schtasks.exe
2208 schtasks.exe
1728 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1432 timeout.exe
2596 timeout.exe

pid	process
1820	schtasks.exe
1528	schtasks.exe
2696	schtasks.exe
1044	schtasks.exe
2208	schtasks.exe
1728	schtasks.exe

pid	process
1432	timeout.exe
2596	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exed21cbe21e38b385a41a68c5e6dd32f4c.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

build2.execsrss.exepatch.exeDB04.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	DB04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DB04.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DB04.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.exe3D51.exe

pid	process
2704	toolspub1.exe
2704	toolspub1.exe
2016	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
664	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
580	3D51.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspub1.exeBFD6.exe

pid process

2704 toolspub1.exe
1200 BFD6.exe

pid	process
468

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exe50A5.exeadasda.exechromeupdate.exe

description	pid	process
Token: SeDebugPrivilege	2016	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	2016	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeShutdownPrivilege	1252
Token: SeSystemEnvironmentPrivilege	2324	csrss.exe
Token: SeShutdownPrivilege	1252
Token: SeSecurityPrivilege	2040	sc.exe
Token: SeSecurityPrivilege	2040	sc.exe
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeShutdownPrivilege	1252
Token: SeDebugPrivilege	2732	50A5.exe
Token: SeDebugPrivilege	2700	adasda.exe
Token: SeShutdownPrivilege	1252
Token: SeDebugPrivilege	1540	chromeupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4BA4.tmp

pid process

1756 4BA4.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BroomSetup.exechromeupdate.exe

pid process

2964 BroomSetup.exe
1540 chromeupdate.exe

pid	process
1756	4BA4.tmp

pid	process
2964	BroomSetup.exe
1540	chromeupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeInstallSetup9.exeBroomSetup.execmd.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.execsrss.exe3D51.execmd.exe

description	pid	process	target process
PID 2344 wrote to memory of 2016	2344	tmp.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2344 wrote to memory of 2016	2344	tmp.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2344 wrote to memory of 2016	2344	tmp.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2344 wrote to memory of 2016	2344	tmp.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2900	2344	tmp.exe	InstallSetup9.exe
PID 2344 wrote to memory of 2704	2344	tmp.exe	toolspub1.exe
PID 2344 wrote to memory of 2704	2344	tmp.exe	toolspub1.exe
PID 2344 wrote to memory of 2704	2344	tmp.exe	toolspub1.exe
PID 2344 wrote to memory of 2704	2344	tmp.exe	toolspub1.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 2964	2900	InstallSetup9.exe	BroomSetup.exe
PID 2900 wrote to memory of 580	2900	InstallSetup9.exe	nsi600C.tmp
PID 2900 wrote to memory of 580	2900	InstallSetup9.exe	nsi600C.tmp
PID 2900 wrote to memory of 580	2900	InstallSetup9.exe	nsi600C.tmp
PID 2900 wrote to memory of 580	2900	InstallSetup9.exe	nsi600C.tmp
PID 2964 wrote to memory of 2148	2964	BroomSetup.exe	cmd.exe
PID 2964 wrote to memory of 2148	2964	BroomSetup.exe	cmd.exe
PID 2964 wrote to memory of 2148	2964	BroomSetup.exe	cmd.exe
PID 2964 wrote to memory of 2148	2964	BroomSetup.exe	cmd.exe
PID 2148 wrote to memory of 1156	2148	cmd.exe	chcp.com
PID 2148 wrote to memory of 1156	2148	cmd.exe	chcp.com
PID 2148 wrote to memory of 1156	2148	cmd.exe	chcp.com
PID 2148 wrote to memory of 1156	2148	cmd.exe	chcp.com
PID 664 wrote to memory of 1612	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 664 wrote to memory of 1612	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 664 wrote to memory of 1612	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 664 wrote to memory of 1612	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2148 wrote to memory of 1820	2148	cmd.exe	schtasks.exe
PID 2148 wrote to memory of 1820	2148	cmd.exe	schtasks.exe
PID 2148 wrote to memory of 1820	2148	cmd.exe	schtasks.exe
PID 2148 wrote to memory of 1820	2148	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 2064	1612	cmd.exe	netsh.exe
PID 1612 wrote to memory of 2064	1612	cmd.exe	netsh.exe
PID 1612 wrote to memory of 2064	1612	cmd.exe	netsh.exe
PID 664 wrote to memory of 2324	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 664 wrote to memory of 2324	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 664 wrote to memory of 2324	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 664 wrote to memory of 2324	664	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2324 wrote to memory of 2512	2324	csrss.exe	injector.exe
PID 2324 wrote to memory of 2512	2324	csrss.exe	injector.exe
PID 2324 wrote to memory of 2512	2324	csrss.exe	injector.exe
PID 2324 wrote to memory of 2512	2324	csrss.exe	injector.exe
PID 580 wrote to memory of 1340	580	3D51.exe	cmd.exe
PID 580 wrote to memory of 1340	580	3D51.exe	cmd.exe
PID 580 wrote to memory of 1340	580	3D51.exe	cmd.exe
PID 580 wrote to memory of 1340	580	3D51.exe	cmd.exe
PID 1340 wrote to memory of 1432	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1432	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1432	1340	cmd.exe	timeout.exe
PID 1340 wrote to memory of 1432	1340	cmd.exe	timeout.exe
PID 1252 wrote to memory of 1200	1252		BFD6.exe
PID 1252 wrote to memory of 1200	1252		BFD6.exe
PID 1252 wrote to memory of 1200	1252		BFD6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2064

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1284

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1996

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1616

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1004

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2892

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:2396

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:2084

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1916

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2752

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1280

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:380

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:676

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2536

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2512

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:596

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:2044

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2696

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:2396

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1820

C:\Users\Admin\AppData\Local\Temp\nsi600C.tmp
C:\Users\Admin\AppData\Local\Temp\nsi600C.tmp
3⤵
- Executes dropped EXE
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsi600C.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1432

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2704

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240202180327.log C:\Windows\Logs\CBS\CbsPersist_20240202180327.cab
1⤵
- Drops file in Windows directory
PID:2568

C:\Users\Admin\AppData\Local\Temp\BFD6.exe
C:\Users\Admin\AppData\Local\Temp\BFD6.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Users\Admin\AppData\Local\Temp\DB04.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2252

C:\Users\Admin\AppData\Local\Temp\DB04.exe
C:\Users\Admin\AppData\Local\Temp\DB04.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2476

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f057d4e0-9012-42fc-b567-76e63c0a3d16" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1696

C:\Users\Admin\AppData\Local\Temp\DB04.exe
"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1304

C:\Users\Admin\AppData\Local\Temp\DB04.exe
"C:\Users\Admin\AppData\Local\Temp\DB04.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752

C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build2.exe
"C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2256

C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build2.exe
"C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1440
7⤵
- Loads dropped DLL
- Program crash
PID:2944

C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build3.exe
"C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2224

C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build3.exe
"C:\Users\Admin\AppData\Local\2317d8c7-d14b-4464-a275-48299f025d7a\build3.exe"
6⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:1044

C:\Users\Admin\AppData\Local\Temp\3075.exe
C:\Users\Admin\AppData\Local\Temp\3075.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2244

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1112

C:\Users\Admin\AppData\Local\Temp\3D51.exe
C:\Users\Admin\AppData\Local\Temp\3D51.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\4BA4.exe
C:\Users\Admin\AppData\Local\Temp\4BA4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860

C:\Users\Admin\AppData\Local\Temp\is-1GGLQ.tmp\4BA4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1GGLQ.tmp\4BA4.tmp" /SL5="$501A8,7448198,54272,C:\Users\Admin\AppData\Local\Temp\4BA4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1756

C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe
"C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe" -i
3⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe
"C:\Users\Admin\AppData\Local\Py Object Serialization\pyobjserialization.exe" -s
3⤵
- Executes dropped EXE
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "155776210-37302873-1295513758926316040-19589718687175924671323240627648666039"
1⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\50A5.exe
C:\Users\Admin\AppData\Local\Temp\50A5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\adasda.exe
"C:\Users\Admin\AppData\Local\Temp\adasda.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit
3⤵
PID:2380

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'
4⤵
- DcRat
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat""
3⤵
PID:1336

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2596

C:\Users\Admin\AppData\Roaming\chromeupdate.exe
"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system32\taskeng.exe
taskeng.exe {C0CE66F5-A172-4D9D-B9DC-D99AE53CC177} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
1⤵
PID:2920

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery