5051edf86f5e10baca635c7319b42e0cd2395c1293a9de6b0d45a8236f689207

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nossvc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nosstarter.npe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\np_ck64s\ImagePath = "\\??\\C:\\Windows\\syswow64\\np_ck64s.sys"	nosstarter.npe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\noskp\ImagePath = "\\??\\C:\\Windows\\syswow64\\noskp64.sys"	nosstarter.npe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nosku\ImagePath = "\\??\\C:\\Windows\\syswow64\\nosku64.sys"	nossvc.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0002000000022850-27.dat	acprotect

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nosstarter.npe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nosstarter.npe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nossvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nossvc.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Wine	nosstarter.npe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022850-27.dat	upx
behavioral2/memory/3236-31-0x00000000745E0000-0x00000000745EB000-memory.dmp	upx

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4124	netsh.exe
384	netsh.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nosstarter.npe
File opened for modification	\??\PhysicalDrive0	nossvc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	nos_setup.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tkfwfltU.dll	nos_setup.exe
File created	C:\Windows\SysWOW64\TKRgAc2k.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKRgFt2k.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKTool2k64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKIdsVt.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKCtrlU.dll	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\tkfwvt.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\tkids.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKFsAv.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKPcFtHk.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\noska.sys	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\noskp64.sys	nos_setup.exe
File created	C:\Windows\system32\TKRgAc2k64.sys	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	nossvc.exe
File created	C:\Windows\SysWOW64\noskp.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKPcFtCb.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\tkidsxU.dll	nos_setup.exe
File created	C:\Windows\system32\TKFWFV64.cat	nos_setup.exe
File created	C:\Windows\SysWOW64\TKRgFtXp.sys	nos_setup.exe
File created	C:\Windows\system32\TKRgFtXp64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKFsFtMu.dll	nos_setup.exe
File created	C:\Windows\SysWOW64\TKPcFtu.dll	nos_setup.exe
File created	C:\Windows\system32\TKIdsVt64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\nosku64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKRgAcu.dll	nos_setup.exe
File created	C:\Windows\system32\TKFsAv64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\np_ck64s.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKFWU.dll	nos_setup.exe
File created	C:\Windows\SysWOW64\TKRgFtu.dll	nos_setup.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo	nossvc.exe
File created	C:\Windows\SysWOW64\TKFWFV.sys	nos_setup.exe
File created	C:\Windows\system32\TKPcFtHk64.sys	nos_setup.exe
File created	C:\Windows\system32\TKCtrl2k64.sys	nos_setup.exe
File created	C:\Windows\system32\TKFWFV.inf	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\TKTool2k.sys	nos_setup.exe
File created	C:\Windows\system32\TKPcFtCb64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKFsAvMu.dll	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	nossvc.exe
File created	C:\Windows\system32\TKTool2k64.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\tknetcfg64.exe	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_57A2C0279A08627E11FF1DF2980084B2	nossvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	nossvc.exe
File created	C:\Windows\SysWOW64\TKTool2k.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo	nossvc.exe
File opened for modification	C:\Windows\system32\TKIdsVt64.sys	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo	nossvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	nossvc.exe
File created	C:\Windows\SysWOW64\npkakl.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\npkfxa.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKCtrl2k.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKFsFt.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\TKToolu.dll	nos_setup.exe
File opened for modification	C:\Windows\system32\TKTool2k64.sys	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F	nossvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_7B515E7EBE66B3EE73F637DB4EAC6498	nossvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\nProtect\Log\nossvc.exe.npo	nossvc.exe
File created	C:\Windows\SysWOW64\tkfwvt.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\nosku.sys	nos_setup.exe
File created	C:\Windows\SysWOW64\tknetcfg.exe	nos_setup.exe
File created	C:\Windows\system32\tkfwvt64.sys	nos_setup.exe
File created	C:\Windows\system32\TKFsFt64.sys	nos_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	nossvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	nossvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_7B515E7EBE66B3EE73F637DB4EAC6498	nossvc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	nosstarter.npe
File opened (read-only)	\??\VBoxMiniRdrDN	nossvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_heungkukfirecyber.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_miraeassetlife.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\libnspr4.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nss3.dll	nos_setup.exe
File created	C:\Program Files (x86)\Common Files\nProtect Shared\Engine\BwtTrust.dll	nos_setup.exe
File opened for modification	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nss3.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noske64.exe	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcstt.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_nyjdreamcall.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_flab_hanwha.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnorg_kscfc.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKCtrlU.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKIdsVt64.sys	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_bss.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_hanasavings.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_ktnet.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_eminwonmolit.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_chubb.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnorg_kdissw.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\Root Certification Authority.cer	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nssutil3.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskkbd.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ns\icon_logo.npi	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_insungbank.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_emmskogas.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_hanahts.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_samsungcnt.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\protect\dll\TKPcFtu.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnstock_hana.npx	nos_setup.exe
File opened for modification	C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosApsData.npb	nosstarter.npe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_thebank.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_kipo.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKFsAvMu.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnbank_fsb.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_neis_public.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\noskp64.sys	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64_dll\TKNetCfg64.exe	nos_setup.exe
File created	C:\Program Files (x86)\Common Files\nProtect Shared\Engine\TySUtilu.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskes.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\close.npi	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcbscallow.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\armx64\TKNetCfg64.exe	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x64\TKCtrl2k64.sys	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\network\x86\tknetcfg64.exe	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\smime3.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncard_lottecard.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_vwfs.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_nas_assembly.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_reimbursement.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\nprotect-root_ca.cer	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_lx.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\imgWarn.npi	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcrtddriver.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpngov_eminwon.goyang.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpnins_histock.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TYAVPU_000.bin	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\coredll\rtd\TYAVSU_000.bin	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\npcnpncompany_konai.npx	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\bsc20\npacr_64.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npesm.npd	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noskfx64.dll	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\nps\npicommon.npi	nos_setup.exe
File created	C:\Program Files (x86)\INCAInternet\nProtect Online Security\npx\nplfsav.npx	nos_setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\nosxplatform.ocx	nos_setup.exe

Executes dropped EXE 17 IoCs

pid	Process
3016	nprotect_install.exe
3108	nossvc.exe
2008	nosstarter.npe
6108	certutil.exe
5348	certutil.exe
5532	certutil.exe
5596	certutil.exe
5628	certutil.exe
5700	certutil.exe
5884	certutil.exe
5680	certutil.exe
5932	certutil.exe
5236	certutil.exe
5616	certutil.exe
5264	certutil.exe
5788	noske64.exe
5392	noske64.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4776	sc.exe
1416	sc.exe
4748	sc.exe
2528	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3108	nossvc.exe
2008	nosstarter.npe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
6108	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5348	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5532	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5596	certutil.exe
5628	certutil.exe
5628	certutil.exe
5628	certutil.exe
5628	certutil.exe
5628	certutil.exe
5628	certutil.exe
5628	certutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nosstarter.npe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nosstarter.npe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nosstarter.npe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	nossvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	nossvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}\ = "nosxplatform Property Page"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\ProgID	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\InprocServer32	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\MiscStatus\1	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ProxyStubClsid32	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ProxyStubClsid32	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\Control\	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib\Version = "1.0"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\NOSXPL~1.OCX"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\ = "nosxplatform ActiveX ÄÁÆ®·Ñ ¸ðµâ"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\HELPDIR	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\ToolboxBitmap32	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\0	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\nosxplatform.ocx"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\MiscStatus	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\Control	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib\ = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\MiscStatus\ = "0"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\InprocServer32\ThreadingModel = "Apartment"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib\Version = "1.0"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\Version	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\ToolboxBitmap32\ = "C:\\Windows\\Downloaded Program Files\\NOSXPL~1.OCX, 1"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\MiscStatus\1\ = "131473"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ = "_Dnosxplatform"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib\Version = "1.0"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\ProgID\ = "NOSXPLATFORM.nosxplatformCtrl.1"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ = "_DnosxplatformEvents"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\ = "nosxplatform Control"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib\ = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NOSXPLATFORM.nosxplatformCtrl.1\CLSID\ = "{861398E7-66F0-4083-A39E-7FC6AAB919A6}"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib\ = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ = "_DnosxplatformEvents"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NOSXPLATFORM.nosxplatformCtrl.1\ = "nosxplatform Control"	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\TypeLib\ = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib\Version = "1.0"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOSXPLATFORM.nosxplatformCtrl.1\CLSID	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\Version\ = "1.0"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\0\win32	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ = "_Dnosxplatform"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ProxyStubClsid32	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\TypeLib\ = "{FD6C7477-BC9D-473F-B783-E53EFDF9340A}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\FLAGS	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\HELPDIR\	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NOSXPLATFORM.nosxplatformCtrl.1	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{861398E7-66F0-4083-A39E-7FC6AAB919A6}\TypeLib	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FD6C7477-BC9D-473F-B783-E53EFDF9340A}\1.0\FLAGS\ = "2"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\TypeLib	nos_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCC6B5E3-8D0E-4BD8-BD9D-08C18944A9BA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D2C44B5-9A03-4E65-91D2-75B5C4FBA242}\ProxyStubClsid32	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB5B174-82E3-4669-9210-C2EE035DEAC0}\InprocServer32	nos_setup.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	nosstarter.npe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	nosstarter.npe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	nosstarter.npe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C6DFA1ED61736476EDA0364D132A786CF3D3475	nos_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C6DFA1ED61736476EDA0364D132A786CF3D3475\Blob = 0300000001000000140000006c6dfa1ed61736476eda0364d132a786cf3d34750b000000010000001c00000049004e0043004100200049006e007400650072006e006500740000002000000001000000f6030000308203f2308202daa003020102020101300d06092a864886f70d0101050500308190310b3009060355040613024b523120301e060355040a0c17494e434120496e7465726e657420436f2e2c204c74642e313a3038060355040b0c31494e434120496e7465726e657420436f2e2c204c74642e202d20466f7220417574686f72697a656420757365206f6e6c793123302106035504030c1a494e434120496e7465726e657420436f2e2c204c74642e204341301e170d3135303430323038343834315a170d3235303333303038343834315a308190310b3009060355040613024b523120301e060355040a0c17494e434120496e7465726e657420436f2e2c204c74642e313a3038060355040b0c31494e434120496e7465726e657420436f2e2c204c74642e202d20466f7220417574686f72697a656420757365206f6e6c793123302106035504030c1a494e434120496e7465726e657420436f2e2c204c74642e20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c715ddb40ae14e2d6c1b1b8204242317321f0ef90d8bb280f5039041a75477b7a8ea401b0fa9af283ca7f056abde622cf8e518953087656e557960fa545b91a931f56f708e8b7e60c1428214c0893dff7c4db2d16bc7d477ffb8f8f8ee3fa37a2d48fd9577dd5cf51359e167b92d59e4f781a8488ecb9f770c960f203ff865c43a2f5b2713a70eba3e14c4064ace312ffd8671222b05e82c70019139411ea3293dc213374ec2069d676db760b351b64643a6c8711c6c847603f7512f7a430a0e1784a09f58ed8767032225b0ab123651a46eb1fbd9c3f5d4604f3b799097a91d758fd834d2aafd60dfb7e164bd525ce564576955ed5a081f1bc4d4a51e4750810203010001a355305330120603551d130101ff040830060101ff020100301d0603551d0e04160414524446212533bba1eb183774870e32d6080adcf0300b0603551d0f040403020106301106096086480186f8420101040403020007300d06092a864886f70d01010505000382010100ab127f9d36dfe93b5268b0e445d6317e3f7eade91d492a37bddaf8323b76a34058d10863f287ca9dbdff56b2ebe0f13b9342c3a19811b1d2bc1ea7c6de31eb67833b7e755e9aae5cf0aa79c420640783bf81a6e04ee77a2d8c08562e4ba4373a2e0c038b57773bf1745fa67272c2c49b6cade191ba7cb78346ec743f774b1909048659d6628a61ccf7a308c5ddc8e71346a9ac0ba3e4408c180d369ffab6bdd0760a157b899369a8b378e5cc4134966fdb61cb402e7c3ab0a0a70e3a1ec17ff9687a954c9250c46a0963c0961749c80e0abe2576228d133be3e53f591756c76941a5e85bd21f72bc4a7efc4dbddc7619cb56ccb58abbc833ec1fc038993d2004	nos_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	nos_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e40b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f00740020004700340000002000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	nos_setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3236	nos_setup.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe
3108	nossvc.exe

Suspicious behavior: LoadsDriver 55 IoCs

pid	Process
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
652	Process not Found
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
652	Process not Found
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
652	Process not Found
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe
2008	nosstarter.npe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe
Token: SeDebugPrivilege	2008	nosstarter.npe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2008	nosstarter.npe
2008	nosstarter.npe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2008	nosstarter.npe
2008	nosstarter.npe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 4776	3236	nos_setup.exe	107
PID 3236 wrote to memory of 4776	3236	nos_setup.exe	107
PID 3236 wrote to memory of 4776	3236	nos_setup.exe	107
PID 3236 wrote to memory of 4124	3236	nos_setup.exe	111
PID 3236 wrote to memory of 4124	3236	nos_setup.exe	111
PID 3236 wrote to memory of 4124	3236	nos_setup.exe	111
PID 3236 wrote to memory of 3016	3236	nos_setup.exe	114
PID 3236 wrote to memory of 3016	3236	nos_setup.exe	114
PID 3236 wrote to memory of 3016	3236	nos_setup.exe	114
PID 3236 wrote to memory of 1416	3236	nos_setup.exe	115
PID 3236 wrote to memory of 1416	3236	nos_setup.exe	115
PID 3236 wrote to memory of 1416	3236	nos_setup.exe	115
PID 3236 wrote to memory of 4748	3236	nos_setup.exe	117
PID 3236 wrote to memory of 4748	3236	nos_setup.exe	117
PID 3236 wrote to memory of 4748	3236	nos_setup.exe	117
PID 3236 wrote to memory of 2528	3236	nos_setup.exe	119
PID 3236 wrote to memory of 2528	3236	nos_setup.exe	119
PID 3236 wrote to memory of 2528	3236	nos_setup.exe	119
PID 3236 wrote to memory of 2008	3236	nos_setup.exe	122
PID 3236 wrote to memory of 2008	3236	nos_setup.exe	122
PID 3236 wrote to memory of 2008	3236	nos_setup.exe	122
PID 2008 wrote to memory of 6108	2008	nosstarter.npe	125
PID 2008 wrote to memory of 6108	2008	nosstarter.npe	125
PID 2008 wrote to memory of 6108	2008	nosstarter.npe	125
PID 2008 wrote to memory of 5348	2008	nosstarter.npe	127
PID 2008 wrote to memory of 5348	2008	nosstarter.npe	127
PID 2008 wrote to memory of 5348	2008	nosstarter.npe	127
PID 2008 wrote to memory of 5532	2008	nosstarter.npe	129
PID 2008 wrote to memory of 5532	2008	nosstarter.npe	129
PID 2008 wrote to memory of 5532	2008	nosstarter.npe	129
PID 2008 wrote to memory of 5596	2008	nosstarter.npe	131
PID 2008 wrote to memory of 5596	2008	nosstarter.npe	131
PID 2008 wrote to memory of 5596	2008	nosstarter.npe	131
PID 2008 wrote to memory of 5628	2008	nosstarter.npe	133
PID 2008 wrote to memory of 5628	2008	nosstarter.npe	133
PID 2008 wrote to memory of 5628	2008	nosstarter.npe	133
PID 2008 wrote to memory of 5700	2008	nosstarter.npe	135
PID 2008 wrote to memory of 5700	2008	nosstarter.npe	135
PID 2008 wrote to memory of 5700	2008	nosstarter.npe	135
PID 2008 wrote to memory of 5884	2008	nosstarter.npe	137
PID 2008 wrote to memory of 5884	2008	nosstarter.npe	137
PID 2008 wrote to memory of 5884	2008	nosstarter.npe	137
PID 2008 wrote to memory of 384	2008	nosstarter.npe	139
PID 2008 wrote to memory of 384	2008	nosstarter.npe	139
PID 2008 wrote to memory of 384	2008	nosstarter.npe	139
PID 2008 wrote to memory of 5680	2008	nosstarter.npe	141
PID 2008 wrote to memory of 5680	2008	nosstarter.npe	141
PID 2008 wrote to memory of 5680	2008	nosstarter.npe	141
PID 2008 wrote to memory of 5932	2008	nosstarter.npe	143
PID 2008 wrote to memory of 5932	2008	nosstarter.npe	143
PID 2008 wrote to memory of 5932	2008	nosstarter.npe	143
PID 2008 wrote to memory of 5236	2008	nosstarter.npe	145
PID 2008 wrote to memory of 5236	2008	nosstarter.npe	145
PID 2008 wrote to memory of 5236	2008	nosstarter.npe	145
PID 2008 wrote to memory of 5616	2008	nosstarter.npe	147
PID 2008 wrote to memory of 5616	2008	nosstarter.npe	147
PID 2008 wrote to memory of 5616	2008	nosstarter.npe	147
PID 2008 wrote to memory of 5264	2008	nosstarter.npe	149
PID 2008 wrote to memory of 5264	2008	nosstarter.npe	149
PID 2008 wrote to memory of 5264	2008	nosstarter.npe	149
PID 3108 wrote to memory of 5788	3108	nossvc.exe	151
PID 3108 wrote to memory of 5788	3108	nossvc.exe	151
PID 2008 wrote to memory of 5392	2008	nosstarter.npe	153
PID 2008 wrote to memory of 5392	2008	nosstarter.npe	153

C:\Users\Admin\AppData\Local\Temp\nos_setup.exe
"C:\Users\Admin\AppData\Local\Temp\nos_setup.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" control nossvc 200
  2⤵
  - Launches sc.exe
  PID:4776
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Starter" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" description="nProtect Online Security Starter" dir=in action=allow protocol=any enable=yes profile=any
  2⤵
  - Modifies Windows Firewall
  PID:4124
- C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe
  "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nprotect_install.exe" /T:c:\temp
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" create "nossvc" binPath= "\"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe\" /SVC" DisplayName= "nProtect Online Security(PFS)" start= auto
  2⤵
  - Launches sc.exe
  PID:1416
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" description "nossvc" "nProtect Online Security(PFS)"
  2⤵
  - Launches sc.exe
  PID:4748
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\system32\sc.exe" start "nossvc"
  2⤵
  - Launches sc.exe
  PID:2528
- C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe
  "C:\Program Files (x86)\INCAInternet\nProtect Online Security\nosstarter.npe" /SET
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Sets service image path in registry
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Writes to the Master Boot Record (MBR)
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6108
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5348
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5532
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5596
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5628
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release"
    3⤵
    - Executes dropped EXE
    PID:5700
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
    3⤵
    - Executes dropped EXE
    PID:5884
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" advfirewall firewall add rule name="nProtect Online Security Updater" program="C:\Program Files (x86)\INCAInternet\nProtect Online Security\npupdatec.exe" description="nProtect Online Security Updater" dir=Out action=allow protocol=any enable=yes profile=any
    3⤵
    - Modifies Windows Firewall
    PID:384
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin"
    3⤵
    - Executes dropped EXE
    PID:5680
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\cx76qewj.Admin"
    3⤵
    - Executes dropped EXE
    PID:5932
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release" -t "C,," -n "INCA Internet Co., Ltd. CA - INCA Internet Co., Ltd." -i "C:\ProgramData\INCAInternet\nProtect Online Security\cert\inca.cer"
    3⤵
    - Executes dropped EXE
    PID:5236
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release"
    3⤵
    - Executes dropped EXE
    PID:5616
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\ncert\certutil.exe" -L -d sql:"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release"
    3⤵
    - Executes dropped EXE
    PID:5264
- - C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe
    "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" h8kz9q
    3⤵
    - Executes dropped EXE
    PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8
1⤵
PID:1444

C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe
"C:\Program Files (x86)\INCAInternet\nProtect Online Security\nossvc.exe" /SVC
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks for VirtualBox DLLs, possible anti-VM trick
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe
  "C:\Program Files (x86)\INCAInternet\nProtect Online Security\npk\noske64.exe" u3j6oP
  2⤵
  - Executes dropped EXE
  PID:5788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion