ed676bd32b29b05d3f31ae4dcda6a5c4a9fab54f3f5d328b3f5fa80182a9cd0e

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZuluServer Monitor = "\"C:\\Program Files\\ZuluGIS\\ZuluSrvm.exe\" /h"	msiexec.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

3 1676 msiexec.exe
5 1676 msiexec.exe
7 1928 msiexec.exe

flow	pid	process
3	1676	msiexec.exe
5	1676	msiexec.exe
7	1928	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

ZuluServ.exe

description ioc process

File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Zulu\RemoteConn.cfg ZuluServ.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Zulu\RemoteConn.cfg	ZuluServ.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_n\Gaz.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_n\Gaz_nd.zmp	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamDevices\par.d04	msiexec.exe
File created	C:\Program Files\ZuluGIS\ReferenceAssemblies\Zulu.Interop.Zulu.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo\Teplo.b06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Simple\Test.b06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Kvartal\voda_zt.tl	msiexec.exe
File created	C:\Program Files\ZuluGIS\lang\zuluui.en.lang	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\TEPLO\ARM_T_UZ.d08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Quart.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Sample1\water supply.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.zx	msiexec.exe
File created	C:\Program Files\ZuluGIS\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\ws\schemas\gml\3.1.1\base\datums.xsd	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_v\Gaz.d04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Data\OpenStreetMap\OpenCircleMap.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\poi-polygon.sqlite	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Thermogram\teplo.b07	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample2\drain2.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\water-polygon.b05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0001.b02	msiexec.exe
File created	C:\Program Files\ZuluGIS\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\TEPLO\ARM_T_UZ.b05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Defect\defect.b03	msiexec.exe
File created	C:\Program Files\ZuluGIS\Preset\osm\MapQuest.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamDevices\par.d00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Nasos\teploNS.b06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam_rezerv.zx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\FLOOR\0003.b02	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\OSM\OpenStreetMap\BOUNDARY-POLYGON.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample1\drain.d01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_n\Gaz.b07	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Simple\Test_wt.wt	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Basic\VODA.d06	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Nasos\Doma.b01	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam_rezerv.b05	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Append\append.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Thermogram\out.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Sample1\water supply.b02	msiexec.exe
File created	C:\Program Files\ZuluGIS\ws\schemas\gml\3.1.1\base\gml.xsd	msiexec.exe
File created	C:\Program Files\ZuluGIS\ws\schemas\gml\3.1.1\base\gmlBase.xsd	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamPipe\par.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Qt5Gui.dll	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\QUART.zsx	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam.l02	msiexec.exe
File created	C:\Program Files\ZuluGIS\Preset\2gis\2gis.zww	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Drain\Sample3\drain.l02	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_n\Gaz.d00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\WaterHammer\Simple\Test.b07	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\TEXT.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_n\Doma.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Kvartal\teplosam_rezerv.l00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Nasos\kvartal.b00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Steam\SteamPipe\par.l00	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Building\TEPLO\TEKST.B04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Thermo\Magistral\Teplo.b04	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Kvartal\TEXT.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Hydro\Kvartal\voda.b08	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_v\Doma.lnn	msiexec.exe
File created	C:\Program Files\ZuluGIS\Examples\Gaz\Gaz_v\Gaz.sqlite	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI7711.tmp	msiexec.exe
File created	C:\Windows\assembly\tmp\II4G888T\Zulu.Interop.zuluui.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI89D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\assembly\tmp\FK73SEOY\Zulu.Interop.Zulu.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\f766f67.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140cht.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\{4621229A-99DF-4127-AAE3-D22ADE50B218}\Company.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{4621229A-99DF-4127-AAE3-D22ADE50B218}\Company.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140cht.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8903.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI915F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7946.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140enu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140enu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140rus.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7790.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140jpn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\f766f69.msi	msiexec.exe
File created	C:\Windows\Installer\f766f67.ipi	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File created	C:\Windows\assembly\tmp\BD9BGZE5\Zulu.Interop.ZuluLib.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140deu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfcm140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\f766f66.msi	msiexec.exe
File created	C:\Windows\assembly\tmp\J9WG70QJ\Zulu.Interop.Zb.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140rus.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\assembly\tmp\J5DSNXFB\Zulu.Interop.ZuluComNetOcx.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140fra.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7957.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140chs.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140deu.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfcm140u.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\f766f66.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140esn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140ita.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7741.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7936.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140jpn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140kor.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\A9221264FD997214AA3E2DA2ED052B81\10.0.8803\mfc140esn.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

ZuluServ.exezssetup.exezssetup.exeZuluSrvm.exe

pid process

1224 ZuluServ.exe
1288 zssetup.exe
1748 zssetup.exe
2776 ZuluSrvm.exe

pid	process
1224	ZuluServ.exe
1288	zssetup.exe
1748	zssetup.exe
2776	ZuluSrvm.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exemsiexec.exeMsiExec.exeZuluServ.exezssetup.exe

pid	process
2840	MsiExec.exe
2840	MsiExec.exe
2216	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2216	MsiExec.exe
1240	MsiExec.exe
1240	MsiExec.exe
1240	MsiExec.exe
752
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
1928	msiexec.exe
2824	MsiExec.exe
476
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1224	ZuluServ.exe
1928	msiexec.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe
1288	zssetup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125070A8-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070D0-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125073A3-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B722-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507025-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507387-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\Zb.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B928-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507518-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED014-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\Steam.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED010-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B959-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507094-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507448-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125073B8-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507126-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507522-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B72F-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250751E-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125070E5-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074C9-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507349-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125073A3-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507223-0B01-11D2-B55D-444553540000}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507123-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070B2-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070D8-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125ED014-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125073B1-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250748A-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B730-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluChrt.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507504-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507522-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED015-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\Gaz.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B928-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507096-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507418-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0C937-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B712-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507516-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125070A0-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250746E-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125074DD-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507126-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507133-0B01-11D2-B55D-444553540000}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B93C-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507511-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluComNetCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250713C-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507129-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0B730-873C-11D3-BF56-D212EB700DCD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B92C-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074C6-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0C937-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zulurep.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125ED014-16FE-4E3D-90B0-195EFCF6E174}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507136-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507129-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507435-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluCtrl.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507436-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E50D21A-0813-4E66-8D1D-009AA4FEA791}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507098-0B01-11D2-B55D-444553540000}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507415-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B928-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507418-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507479-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\ZuluLib.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507349-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ZuluServ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ZuluServ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ZuluServ.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

ZuluServ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ZuluServ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ZuluServ.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

DrvInst.exeZuluServ.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0\Zulu	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0\Zulu\lang	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0\Zulu\Hasp	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0\Zulu\MapWindow	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Zulu\5.0\Zulu\Settings	ZuluServ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070E7-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Zb.AsciiFormat\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{125074D3-0B01-11D2-B55D-444553540000}\ = "IBoundingBoxes"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125070B8-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250712A-0B01-11D2-B55D-444553540000}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0B724-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1250709D-0B01-11D2-B55D-444553540000}\ = "IChangedElementKeys"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125070C0-0B01-11D2-B55D-444553540000}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507478-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\ = "{12507020-0B01-11D2-B55D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zulu.Report.Legend\ = "Zulu.Report.Legend"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074DD-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.zrg	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{125073BA-0B01-11D2-B55D-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{125074C1-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0C930-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507435-11DD-4DDC-AFDA-3007DB024F4D}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Zulu.Chart.PpgChartGrid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507522-11DD-4DDC-AFDA-3007DB025F4D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E50D21A-0813-4E66-8D1D-009AA4FEA791}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507413-11DD-4DDC-AFDA-3007DB025F4D}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0B721-873C-11D3-BF56-D212EB700DCD}\TypeLib\Version = "8.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1250742C-11DD-4DDC-AFDA-3007DB025F4D}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\zulu.zttfile\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507134-0B01-11D2-B55D-444553540000}\TypeLib\ = "{12507120-0B01-11D2-B55D-444553540000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluComNetOcx.TaskSteam	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507415-11DD-4DDC-AFDA-3007DB025F4D}\ = "ZuluLib.ZsConnection"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507023-0B01-11D2-B55D-444553540000}\AuxUserType\2	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluOcx.PpgMapToolBarButtons\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F4A8E33E4390CC5468CBD92287697BA2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B930-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0B720-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0B724-873C-11D3-BF56-D212EB700DCD}\TypeLib\Version = "8.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507520-11DD-4DDC-AFDA-3007DB025F4D}\ProgID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9221264FD997214AA3E2DA2ED052B81\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluLib.HighlightParams	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1250713F-0B01-11D2-B55D-444553540000}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250713C-0B01-11D2-B55D-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{30C0B710-873C-11D3-BF56-D212EB700DCD}\8.0\0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507059-0B01-11D2-B55D-444553540000}\ = "IObjectModes"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{125073B1-0B01-11D2-B55D-444553540000}\ = "Zb.ZbSqlParams"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{12507125-0B01-11D2-B55D-444553540000}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30C0B92B-873C-11D3-BF56-D212EB700DCD}\ = "ILineComboBoxEvents"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507508-11DD-4DDC-AFDA-3007DB025F4D}\TypeLib\ = "{12507500-11DD-4DDC-AFDA-3007DB025F4D}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507439-11DD-4DDC-AFDA-3007DB024F4D}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluLib.ZGps\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{30C0C938-873C-11D3-BF56-D212EB700DCD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12507139-0B01-11D2-B55D-444553540000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ZuluComNetOcx.TaskGazCtrl.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F4CF551-8493-44C9-8D44-32B1DB8877BC}\a.0\0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507073-0B01-11D2-B55D-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507098-0B01-11D2-B55D-444553540000}\ = "ZuluLib.PolyLine"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1250736C-0B01-11D2-B55D-444553540000}\ = "IZbQueryInfo"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507456-11DD-4DDC-AFDA-3007DB025F4D}\ = "ICommandBar"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZuluOcx.MapAerialCtrl.1\ = "Zulu Aerial View Control"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Zulu.Piezo.TaskSolver\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507443-11DD-4DDC-AFDA-3007DB025F4D}\ = "IRasterObject"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{12507503-11DD-4DDC-AFDA-3007DB025F4D}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zulu.Voda.TaskSolver\ = "Zulu.Voda.TaskSolver"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12507223-0B01-11D2-B55D-444553540000}\ = "Zulu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12507073-0B01-11D2-B55D-444553540000}\TypeLib\ = "{12507020-0B01-11D2-B55D-444553540000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZuluLib.LineStyleDef\ = "ZuluLib.LineStyleDef"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{30C0C928-873C-11D3-BF56-D212EB700DCD}\Control	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1250713F-0B01-11D2-B55D-444553540000}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{30C0B93C-873C-11D3-BF56-D212EB700DCD}\InprocServer32\ = "C:\\Program Files\\ZuluGIS\\zuluui.dll"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1928 msiexec.exe
1928 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

msiexec.exezssetup.exe

pid process

1676 msiexec.exe
1748 zssetup.exe

pid	process
1928	msiexec.exe
1928	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeCreateTokenPrivilege	1676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1676	msiexec.exe
Token: SeLockMemoryPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeMachineAccountPrivilege	1676	msiexec.exe
Token: SeTcbPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	1676	msiexec.exe
Token: SeTakeOwnershipPrivilege	1676	msiexec.exe
Token: SeLoadDriverPrivilege	1676	msiexec.exe
Token: SeSystemProfilePrivilege	1676	msiexec.exe
Token: SeSystemtimePrivilege	1676	msiexec.exe
Token: SeProfSingleProcessPrivilege	1676	msiexec.exe
Token: SeIncBasePriorityPrivilege	1676	msiexec.exe
Token: SeCreatePagefilePrivilege	1676	msiexec.exe
Token: SeCreatePermanentPrivilege	1676	msiexec.exe
Token: SeBackupPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	1676	msiexec.exe
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeAuditPrivilege	1676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1676	msiexec.exe
Token: SeChangeNotifyPrivilege	1676	msiexec.exe
Token: SeRemoteShutdownPrivilege	1676	msiexec.exe
Token: SeUndockPrivilege	1676	msiexec.exe
Token: SeSyncAgentPrivilege	1676	msiexec.exe
Token: SeEnableDelegationPrivilege	1676	msiexec.exe
Token: SeManageVolumePrivilege	1676	msiexec.exe
Token: SeImpersonatePrivilege	1676	msiexec.exe
Token: SeCreateGlobalPrivilege	1676	msiexec.exe
Token: SeCreateTokenPrivilege	1676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1676	msiexec.exe
Token: SeLockMemoryPrivilege	1676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1676	msiexec.exe
Token: SeMachineAccountPrivilege	1676	msiexec.exe
Token: SeTcbPrivilege	1676	msiexec.exe
Token: SeSecurityPrivilege	1676	msiexec.exe
Token: SeTakeOwnershipPrivilege	1676	msiexec.exe
Token: SeLoadDriverPrivilege	1676	msiexec.exe
Token: SeSystemProfilePrivilege	1676	msiexec.exe
Token: SeSystemtimePrivilege	1676	msiexec.exe
Token: SeProfSingleProcessPrivilege	1676	msiexec.exe
Token: SeIncBasePriorityPrivilege	1676	msiexec.exe
Token: SeCreatePagefilePrivilege	1676	msiexec.exe
Token: SeCreatePermanentPrivilege	1676	msiexec.exe
Token: SeBackupPrivilege	1676	msiexec.exe
Token: SeRestorePrivilege	1676	msiexec.exe
Token: SeShutdownPrivilege	1676	msiexec.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeAuditPrivilege	1676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1676	msiexec.exe
Token: SeChangeNotifyPrivilege	1676	msiexec.exe
Token: SeRemoteShutdownPrivilege	1676	msiexec.exe
Token: SeUndockPrivilege	1676	msiexec.exe
Token: SeSyncAgentPrivilege	1676	msiexec.exe
Token: SeEnableDelegationPrivilege	1676	msiexec.exe
Token: SeManageVolumePrivilege	1676	msiexec.exe
Token: SeImpersonatePrivilege	1676	msiexec.exe
Token: SeCreateGlobalPrivilege	1676	msiexec.exe
Token: SeCreateTokenPrivilege	1676	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exeZuluSrvm.exe

pid	process
1676	msiexec.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ZuluSrvm.exe

pid	process
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ZuluServ.exezssetup.exezssetup.exeZuluSrvm.exe

pid process

1224 ZuluServ.exe
1288 zssetup.exe
1748 zssetup.exe
1748 zssetup.exe
2776 ZuluSrvm.exe
2776 ZuluSrvm.exe

pid	process
1224	ZuluServ.exe
1288	zssetup.exe
1748	zssetup.exe
1748	zssetup.exe
2776	ZuluSrvm.exe
2776	ZuluSrvm.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

msiexec.exeMsiExec.exewevtutil.exezssetup.exe

description	pid	process	target process
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2840	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2216	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2216	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2216	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2216	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2216	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2404	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1240	1928	msiexec.exe	MsiExec.exe
PID 1240 wrote to memory of 2768	1240	MsiExec.exe	wevtutil.exe
PID 1240 wrote to memory of 2768	1240	MsiExec.exe	wevtutil.exe
PID 1240 wrote to memory of 2768	1240	MsiExec.exe	wevtutil.exe
PID 1240 wrote to memory of 2768	1240	MsiExec.exe	wevtutil.exe
PID 2768 wrote to memory of 2760	2768	wevtutil.exe	wevtutil.exe
PID 2768 wrote to memory of 2760	2768	wevtutil.exe	wevtutil.exe
PID 2768 wrote to memory of 2760	2768	wevtutil.exe	wevtutil.exe
PID 2768 wrote to memory of 2760	2768	wevtutil.exe	wevtutil.exe
PID 1928 wrote to memory of 2824	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2824	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2824	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2824	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 2824	1928	msiexec.exe	MsiExec.exe
PID 1928 wrote to memory of 1288	1928	msiexec.exe	zssetup.exe
PID 1928 wrote to memory of 1288	1928	msiexec.exe	zssetup.exe
PID 1928 wrote to memory of 1288	1928	msiexec.exe	zssetup.exe
PID 1288 wrote to memory of 1748	1288	zssetup.exe	zssetup.exe
PID 1288 wrote to memory of 1748	1288	zssetup.exe	zssetup.exe
PID 1288 wrote to memory of 1748	1288	zssetup.exe	zssetup.exe
PID 1928 wrote to memory of 2776	1928	msiexec.exe	ZuluSrvm.exe
PID 1928 wrote to memory of 2776	1928	msiexec.exe	ZuluSrvm.exe
PID 1928 wrote to memory of 2776	1928	msiexec.exe	ZuluSrvm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ZuluServer2021_x64_ru.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C7E1C229C1B7D00EC1ADB2813C03FC86 C
2⤵
- Loads dropped DLL
PID:2840

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 9953F485DF63F1DD0FA4B6DEDB85D0B7
2⤵
- Loads dropped DLL
PID:2216

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EE77D0475D7C4273484AD38DCDC1B33
2⤵
- Loads dropped DLL
PID:2404

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A31BDB9FC974D79627C04EF571B6D71D M Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\syswow64\wevtutil.exe
"wevtutil.exe" im "C:\Program Files\ZuluGIS\ZSWinEvtProv.man"
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\System32\wevtutil.exe
"wevtutil.exe" im "C:\Program Files\ZuluGIS\ZSWinEvtProv.man" /fromwow64
4⤵
PID:2760

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 89A846A15F47DE48AA2E78A449A7FC86 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2824

C:\Program Files\ZuluGIS\zssetup.exe
"C:\Program Files\ZuluGIS\zssetup.exe" -i
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Program Files\ZuluGIS\zssetup.exe
"C:\Program Files\ZuluGIS\zssetup.exe" /e
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Program Files\ZuluGIS\ZuluSrvm.exe
"C:\Program Files\ZuluGIS\ZuluSrvm.exe" /h
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1520

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2500

C:\Program Files\ZuluGIS\ZuluServ.exe
"C:\Program Files\ZuluGIS\ZuluServ.exe" /s
1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery