44caliber | eb18e1c355e002f0589621dd7f67605004874c016ac7e3f3ea93ee0092a183ff

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CLModdingTool.exe
Size

2.8MB
MD5

3e8467e2688b2efa61f59f22f809f1e0
SHA1

a6c5df599e482932d3beda04c8ec6280fe6d68e8
SHA256

eb18e1c355e002f0589621dd7f67605004874c016ac7e3f3ea93ee0092a183ff
SHA512

43c252147ac8e63ad28d672ef866608af523e73991093d650b61a40c55b7415208bc472d29e6e8c650ca580b0b71ff35af0e4945d387e242878a114ea84883d5
SSDEEP

49152:9svNXfFAw+qqIlu3Ab7AUziVj3djevc2FmpLAcyxEDIUqsfix5b4qPcxxKppk:9sdfmZIllvYj3djeUHhaESV5b4qPIKLk

Score

10^/10

44caliber xworm evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1239664839861731431/VT6K0qlAVUjcvrSdaA7o80cVaJyetsfS1bh1v1T-yNWgA-Xp45pD3IwxPT8-ZVpBj_mb

Extracted

Family

xworm

Version

5.0

central-feb.gl.at.ply.gg:50764

Mutex

v9noCapeVzXu1P4f

Attributes

Install_directory
%AppData%
install_file
ModsInstaller.exe

aes.plain

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\ModsPack.exe	family_xworm
behavioral1/memory/2616-56-0x0000000000EB0000-0x0000000000EE8000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

916 powershell.exe
1204 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
916	powershell.exe
1204	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\CVKCQNWB\ImagePath = "C:\\ProgramData\\oaocofwmfjha\\gmstcccpdzbb.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

Processes:

ModsPack.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk	ModsPack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk	ModsPack.exe

Executes dropped EXE 6 IoCs

Processes:

ClokaHelper.exeClockModdingToolInstaller.exeModsPack.execlockamoddingtool.exegmstcccpdzbb.exempdjnz.exe

pid process

2020 ClokaHelper.exe
2680 ClockModdingToolInstaller.exe
2616 ModsPack.exe
2776 clockamoddingtool.exe
888 gmstcccpdzbb.exe
596 mpdjnz.exe

Loads dropped DLL 16 IoCs

Processes:

CLModdingTool.exeservices.exe

pid	process
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
2964	CLModdingTool.exe
480	services.exe
480	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ModsPack.exempdjnz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ModsInstaller = "C:\\Users\\Admin\\AppData\\Roaming\\ModsInstaller.exe"	ModsPack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\toad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toad.exe"	mpdjnz.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app
16 ip-api.com

flow	ioc
4	freegeoip.app
5	freegeoip.app
16	ip-api.com

Drops file in System32 directory 22 IoCs

Processes:

powershell.exeClockModdingToolInstaller.exeWMIADAP.EXEsvchost.exepowershell.exegmstcccpdzbb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ClockModdingToolInstaller.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gmstcccpdzbb.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

ClockModdingToolInstaller.exegmstcccpdzbb.exe

description	pid	process	target process
PID 2680 set thread context of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 888 set thread context of 2684	888	gmstcccpdzbb.exe	dialer.exe
PID 888 set thread context of 1764	888	gmstcccpdzbb.exe	dialer.exe
PID 888 set thread context of 1148	888	gmstcccpdzbb.exe	dialer.exe

Drops file in Windows directory 6 IoCs

Processes:

WMIADAP.EXEwusa.exesvchost.exewusa.exe

description	ioc	process
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1744 sc.exe
384 sc.exe
1908 sc.exe
2204 sc.exe
2220 sc.exe
1900 sc.exe
1796 sc.exe
1628 sc.exe
2060 sc.exe
992 sc.exe
1732 sc.exe
1604 sc.exe
572 sc.exe
2992 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1744	sc.exe
384	sc.exe
1908	sc.exe
2204	sc.exe
2220	sc.exe
1900	sc.exe
1796	sc.exe
1628	sc.exe
2060	sc.exe
992	sc.exe
1732	sc.exe
1604	sc.exe
572	sc.exe
2992	sc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exeClokaHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ClokaHelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ClokaHelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b02127e2e8a5da01	powershell.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ClokaHelper.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ClokaHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	ClokaHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ClokaHelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	ClokaHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ClokaHelper.exeClockModdingToolInstaller.exepowershell.exedialer.exegmstcccpdzbb.exepowershell.exeModsPack.exedialer.exe

pid	process
2020	ClokaHelper.exe
2020	ClokaHelper.exe
2020	ClokaHelper.exe
2680	ClockModdingToolInstaller.exe
916	powershell.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
1492	dialer.exe
1492	dialer.exe
2680	ClockModdingToolInstaller.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
2680	ClockModdingToolInstaller.exe
2680	ClockModdingToolInstaller.exe
888	gmstcccpdzbb.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
1492	dialer.exe
1204	powershell.exe
1492	dialer.exe
1492	dialer.exe
2616	ModsPack.exe
1492	dialer.exe
1492	dialer.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
1492	dialer.exe
1492	dialer.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
1492	dialer.exe
1492	dialer.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
888	gmstcccpdzbb.exe
2684	dialer.exe
2684	dialer.exe
888	gmstcccpdzbb.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe
2684	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ModsPack.exeClokaHelper.exepowershell.exeClockModdingToolInstaller.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedialer.exesvchost.exepowershell.exegmstcccpdzbb.exepowercfg.exedialer.exepowercfg.exepowercfg.exepowercfg.exedialer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2616	ModsPack.exe
Token: SeDebugPrivilege	2020	ClokaHelper.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2680	ClockModdingToolInstaller.exe
Token: SeShutdownPrivilege	280	powercfg.exe
Token: SeShutdownPrivilege	592	powercfg.exe
Token: SeShutdownPrivilege	472	powercfg.exe
Token: SeShutdownPrivilege	1128	powercfg.exe
Token: SeDebugPrivilege	1492	dialer.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	2616	ModsPack.exe
Token: SeDebugPrivilege	888	gmstcccpdzbb.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeDebugPrivilege	2684	dialer.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeShutdownPrivilege	2932	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeLockMemoryPrivilege	1148	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

clockamoddingtool.exeExplorer.EXEmpdjnz.exe

pid	process
2776	clockamoddingtool.exe
1360	Explorer.EXE
1360	Explorer.EXE
596	mpdjnz.exe
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
1360	Explorer.EXE
596	mpdjnz.exe
1360	Explorer.EXE
1360	Explorer.EXE
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXEmpdjnz.exe

pid	process
1360	Explorer.EXE
1360	Explorer.EXE
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe
596	mpdjnz.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ModsPack.exempdjnz.exe

pid process

2616 ModsPack.exe
596 mpdjnz.exe
596 mpdjnz.exe

pid	process
2616	ModsPack.exe
596	mpdjnz.exe
596	mpdjnz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CLModdingTool.execmd.exeClockModdingToolInstaller.exedialer.exeservices.exe

description	pid	process	target process
PID 2964 wrote to memory of 2020	2964	CLModdingTool.exe	ClokaHelper.exe
PID 2964 wrote to memory of 2020	2964	CLModdingTool.exe	ClokaHelper.exe
PID 2964 wrote to memory of 2020	2964	CLModdingTool.exe	ClokaHelper.exe
PID 2964 wrote to memory of 2020	2964	CLModdingTool.exe	ClokaHelper.exe
PID 2964 wrote to memory of 2680	2964	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 2964 wrote to memory of 2680	2964	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 2964 wrote to memory of 2680	2964	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 2964 wrote to memory of 2680	2964	CLModdingTool.exe	ClockModdingToolInstaller.exe
PID 2964 wrote to memory of 2616	2964	CLModdingTool.exe	ModsPack.exe
PID 2964 wrote to memory of 2616	2964	CLModdingTool.exe	ModsPack.exe
PID 2964 wrote to memory of 2616	2964	CLModdingTool.exe	ModsPack.exe
PID 2964 wrote to memory of 2616	2964	CLModdingTool.exe	ModsPack.exe
PID 2964 wrote to memory of 2776	2964	CLModdingTool.exe	clockamoddingtool.exe
PID 2964 wrote to memory of 2776	2964	CLModdingTool.exe	clockamoddingtool.exe
PID 2964 wrote to memory of 2776	2964	CLModdingTool.exe	clockamoddingtool.exe
PID 2964 wrote to memory of 2776	2964	CLModdingTool.exe	clockamoddingtool.exe
PID 2332 wrote to memory of 1584	2332	cmd.exe	wusa.exe
PID 2332 wrote to memory of 1584	2332	cmd.exe	wusa.exe
PID 2332 wrote to memory of 1584	2332	cmd.exe	wusa.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 2680 wrote to memory of 1492	2680	ClockModdingToolInstaller.exe	dialer.exe
PID 1492 wrote to memory of 436	1492	dialer.exe	winlogon.exe
PID 1492 wrote to memory of 480	1492	dialer.exe	services.exe
PID 1492 wrote to memory of 496	1492	dialer.exe	lsass.exe
PID 1492 wrote to memory of 504	1492	dialer.exe	lsm.exe
PID 1492 wrote to memory of 612	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 696	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 780	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 832	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 860	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 1008	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 352	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 300	1492	dialer.exe	spoolsv.exe
PID 1492 wrote to memory of 1032	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 1224	1492	dialer.exe	taskhost.exe
PID 1492 wrote to memory of 1320	1492	dialer.exe	Dwm.exe
PID 1492 wrote to memory of 1360	1492	dialer.exe	Explorer.EXE
PID 1492 wrote to memory of 1124	1492	dialer.exe	svchost.exe
PID 1492 wrote to memory of 2400	1492	dialer.exe	sppsvc.exe
PID 1492 wrote to memory of 2020	1492	dialer.exe	ClokaHelper.exe
PID 1492 wrote to memory of 2680	1492	dialer.exe	ClockModdingToolInstaller.exe
PID 1492 wrote to memory of 2616	1492	dialer.exe	ModsPack.exe
PID 1492 wrote to memory of 2832	1492	dialer.exe	wmiprvse.exe
PID 1492 wrote to memory of 1128	1492	dialer.exe	powercfg.exe
PID 1492 wrote to memory of 280	1492	dialer.exe	powercfg.exe
PID 1492 wrote to memory of 472	1492	dialer.exe	powercfg.exe
PID 1492 wrote to memory of 2452	1492	dialer.exe	conhost.exe
PID 1492 wrote to memory of 1480	1492	dialer.exe	conhost.exe
PID 1492 wrote to memory of 800	1492	dialer.exe	conhost.exe
PID 1492 wrote to memory of 2220	1492	dialer.exe	sc.exe
PID 1492 wrote to memory of 2300	1492	dialer.exe	conhost.exe
PID 480 wrote to memory of 888	480	services.exe	gmstcccpdzbb.exe
PID 480 wrote to memory of 888	480	services.exe	gmstcccpdzbb.exe
PID 480 wrote to memory of 888	480	services.exe	gmstcccpdzbb.exe
PID 1492 wrote to memory of 888	1492	dialer.exe	gmstcccpdzbb.exe
PID 1492 wrote to memory of 1900	1492	dialer.exe	sc.exe
PID 1492 wrote to memory of 2384	1492	dialer.exe	conhost.exe
PID 1492 wrote to memory of 888	1492	dialer.exe	gmstcccpdzbb.exe
PID 1492 wrote to memory of 1204	1492	dialer.exe	powershell.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:612

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2832

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
3⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Modifies security service
- Drops file in System32 directory
PID:780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
3⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:352

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1032

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1124

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:2400

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1168

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:1932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:992

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1732

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:2992

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:2060

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
PID:1764

C:\Windows\system32\dialer.exe
dialer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360

C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe
"C:\Users\Admin\AppData\Local\Temp\CLModdingTool.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe
"C:\Users\Admin\AppData\Local\Temp\ClokaHelper.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
- Drops file in Windows directory
PID:1584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:1604

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1908

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:1744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:2204

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CVKCQNWB"
4⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CVKCQNWB" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:1796

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CVKCQNWB"
4⤵
- Launches sc.exe
PID:1900

C:\Users\Admin\AppData\Local\Temp\ModsPack.exe
"C:\Users\Admin\AppData\Local\Temp\ModsPack.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Users\Admin\AppData\Local\Temp\mpdjnz.exe
"C:\Users\Admin\AppData\Local\Temp\mpdjnz.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:596

C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe
"C:\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-729158021-2002404973-1871634893-253152973-438060356-1815569439-1129588282-2124233862"
1⤵
PID:2452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "704747529-5809733521164742726-616313270-9694525041791869046-143915467-353744529"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1948534962-1249435004-181435111610448383-896321341-305734298354110587-2068761424"
1⤵
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "113207265202122916-863531226-1382529183-6622117820361874761916349194-1723501790"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1110952586-265564882-705284807-130646987913822669361013806247-19642899231691794169"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2041795585493969052-1297496880-1528285344-43283832716377913111674922652-1921072103"
1⤵
PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1107594521-10760138591310516421928452996-1695094381876477063-1911243996-1858973900"
1⤵
PID:856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16543384914263451924595308011016592500-1932200442-1787432462-14859068552040878904"
1⤵
PID:816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-554521053-816959228-19127645801111412513-191850278418748557731147270801-498497993"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2949129701966976644250518459-660476500850688703590830231-16628902411655690103"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2083651521-916116649-1803807126-1235848680-24140468418848758811117458328-504817478"
1⤵
PID:2784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10345335421493806638-985500336-1289243931610125020728699479-6037978871715128439"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "544963789-1436615092359881-21406719201095280645-156325143811558376031473337286"
1⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
88B

MD5
5a80ae856d3183cc50a92f7a470a4d44

SHA1
6fc7f31ce53916c1e308ab77cabaae22c9197395

SHA256
248bd46369dc7a6611f0009cc3be813143044d2ddd87ff5fa6d395c665ed7fe6

SHA512
85507d5724f1dbc21d6c10c12f9da85d57f7cb674a814a8c506e705ec58f7fc2d32ac8f3c555df93f349409bb75e1ee500920866b514a7401e9eb1e5f4b8ac10

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
433B

MD5
238eece2e787189a55b66aa9d2062290

SHA1
2e5005b0e8cf6007b71d2a9e5cf0bab81589c901

SHA256
3f27143a41cbb3746e6c8505fe92585714863a74b29d973172edd2ede49dd5ad

SHA512
9abeb418bfb13543de6f694e6fb2b27f4026823b3ed09ebedd5b48b047a7f156c7494f671d07f5516e16351e417e5da9c020beb5310ffbb0be8ca015960977a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpdjnz.exe
Filesize
56KB

MD5
6d10f6618182a146fc3b407f8b0c080e

SHA1
f7f6c854b5a5eb0debcc5060453d0d15d66eeb87

SHA256
170c9351717e67cda6f3cfa73196c32462e63c87a07336821668b38bd0e1cf01

SHA512
14ad694b297090cacf1aeb92badbba68d4ebb1b44da4a9e63137c0aa1ebc3a94236792266783f79b3428e3d611afe46288b9ae818c194fe1deb2fa9ea58febb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ModsInstaller.lnk
Filesize
724B

MD5
6fce37a06a5293d29e5c2ac30aebf6de

SHA1
6004445a8019f484799e13d0a9074b3ddc2f611b

SHA256
f882f02cae9d07f15306b8aef29aac463a48d05078ea41431eae78cbfa6a90a3

SHA512
679b48dd087e5230fcc72926a47fa53eaf19d495d4013f4a677eae7e27c77f7cd5136744650a74880b89bf819fd535b6d540b9ed4fdca3f2ff70ffbee39dc28b

Download Submit
C:\Windows\System32\perfc007.dat
Filesize
141KB

MD5
cea1b98ec0c3919cc62c836e00c68863

SHA1
e02600d4cb930ce357e0df3a1acf3a33ad238fa3

SHA256
8f44cd24382a3719b6fe3b0866286f4543257629b087fba76bc43158c22faed6

SHA512
af44659dfa613c9a30761b996453e5ff6b5d7ed1e5e5b1003b2f2d6348507bbc4ccd54ced36981fb50706ce880cea69994cfbafccfeb1e19f23c05623c198644

Download Submit
C:\Windows\System32\perfc00A.dat
Filesize
154KB

MD5
124b2850d0d5ea4d72b0b9a332225836

SHA1
91b4717369678b7924c54beb7b73a13714633b45

SHA256
16c79e7814370310048aa440a671ee3f28fd42fe4271211d19739a5dd611c3be

SHA512
da705bf51423a48d8eb4592033d32de99cae30cfad9b6222b7d57c13efd56fb82ef3e92cdd04ac7f12f0ae1b616294a7e22879c3f5443765f2ca57c098282b33

Download Submit
C:\Windows\System32\perfc00C.dat
Filesize
141KB

MD5
822e634903f0f097472909713272812c

SHA1
00014d6d5586deea745580e8555df39115f3e0aa

SHA256
6dd5e379751f7294a604c8235162e782d10a2f426239e2c0ea479b732da4f693

SHA512
2e0feb10dcdcbce6609d3ea07e20ac2050429081baaa30704a13848c839670b68fa75696d8741cc7473b7ee993843a086e80a6c433f93ab8d22ecd07d72855c4

Download Submit
C:\Windows\System32\perfc010.dat
Filesize
142KB

MD5
71b854c727e136df2704232789a09457

SHA1
015010461e0c9f499047591ae850c9d013a04f33

SHA256
aa180f83eff8188abc3594032c36a545bb81d9fa01973aa74cf3977f2eeb2459

SHA512
17e31ecf14815d4387acc86f34591ce16ccc099557bc2265135be62314d4c6f0946d9472690de8c43313d1839112556ffeee91322dcd656830be234511b1a9f0

Download Submit
C:\Windows\System32\perfc011.dat
Filesize
114KB

MD5
bee5d91b496fb80f633b314b1dbb55eb

SHA1
25c99dd2d14166bdb16a3b0238204fa8c0094780

SHA256
60f1cd5bc3deb6245e628c6be28bb5425e9c9c24437832929f4d55265ce51334

SHA512
468c5745197bf8a044236dcb86ee398d269e35ef1c93bceb171c9e99bd2bcb39240cbe8280daa8f3d0af4f93b616a47d5d73188c3d2fce244f9ad2e089e2f460

Download Submit
C:\Windows\System32\perfh007.dat
Filesize
668KB

MD5
5bf32d9691933ae11b5eada31f1a2377

SHA1
1124bab5271e006d69968eb2bb365e26fb02e3dd

SHA256
26e51dd53f5835053443c5b07158243e71e7baf840af6553a144adade35cad98

SHA512
633aaca0a283891d7ff034c2ce22e98b804ecf2f617ce131e5680f43f52d011c10fb7267987c09fa9b803c93ccedbb9f40325f3229a9228ed1c1d236ce55e8f1

Download Submit
C:\Windows\System32\perfh009.dat
Filesize
634KB

MD5
2607d7f6cb436cfc13dcb11cd9d00b66

SHA1
3e6fec2467a5df541d074fe0e0022eba8232770f

SHA256
d9853dc6c034b3a304321c8d26274cb1579a4d20499b68b76fb3b947fb30b975

SHA512
b53817c724409e5794a4d767bbb0fc16badc7a5088165401728885daecd0a6d986bc42f80c70cbd98d8602b6ffe742d7ac6c71dfc05a95e4210b4c2185d3a5ee

Download Submit
C:\Windows\System32\perfh00A.dat
Filesize
715KB

MD5
d18094b6e68efa9614d1e416fb102f4d

SHA1
131620905e016bc2e5af2fb460aade913b66d48d

SHA256
1523ee3af7aa4808b9b7b653ef832a42eae718f73f9928ca78c0e2073e1102dc

SHA512
0257a3be68815d4a6c62f15070c9f56494181dec7eca30ff0ce2b6fc38c1c41a762906e6574b8052b1c9b066f75cadf654827abcb42a8894f55df8a360902e21

Download Submit
C:\Windows\System32\perfh00C.dat
Filesize
727KB

MD5
78551fda9730bb582b9622a3f2b71eef

SHA1
51aad2de44090656938526b2f974a2253b77b6b2

SHA256
3b01e337147a2415e22ea0aae0af4617e8a368a80eeb590765982edacc23e8c3

SHA512
a4e725ea80aceee54d74682cf436649e1cfca140a7db1b8909556b2e2c2c0d3b5b890fe44c614c17a7d8544a178e1871edf9bb9d1c99e96f3799de6a7936af7b

Download Submit
C:\Windows\System32\perfh010.dat
Filesize
722KB

MD5
37997b4a765e0df0944deb7b3c68fc9f

SHA1
7f70b0f88f8353e6e382f80b38d47736e2de81ca

SHA256
f82abb5bf658ddc5bbf83b786d83636f830494a3c259140cab60e52582c87ac6

SHA512
e28605ce84f795aa8b100c8da3129a8ed370861bd229265f0a1093fbb0ec5ed13e78657f30f266a707848e1f651543b4dc5fdf5ad61ed5e61b1e68ff03dcb25c

Download Submit
C:\Windows\System32\perfh011.dat
Filesize
406KB

MD5
0e026eb49e299091e1b0052091c3054d

SHA1
bc2ba534a80f8eb70513fc3a21b8189bcb66e7a3

SHA256
7c61b56375d8dea0a9e1992763fd118b717898fe3a58270288026caad3c29e44

SHA512
b4eff969eb5ae37219fa865b9b3649a64aa4f022cc4d1bacb44af06bdaf0bb6d8ff764cc0f2d0d5596895a24a8e30ffdbff28065ed84e3fcfdfe1087c417b2a8

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h
Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
\Users\Admin\AppData\Local\Temp\ClockModdingToolInstaller.exe
Filesize
2.8MB

MD5
ea1cd01967246105d1df5dd754c18652

SHA1
9f8f3d3bd6a8ffe090b20681afc6cd4db5c8f6fc

SHA256
64c476205c0ef86807d824120fa30cd0c5ca12c6bf629d311269362b8beb6d1e

SHA512
609d4628eb2bb9a33d602fd7520c0a05ca5026f6d595d9d21fa845ea740618f7f5da43a4cdd65bbd47c5b3b8a26b42ef7d0fe4431c9e57fda6030f7ddd2e796f

Download Submit
\Users\Admin\AppData\Local\Temp\ClokaHelper.exe
Filesize
274KB

MD5
0c36ba36eb375ad5dd4caf9f5d9dc986

SHA1
120aea60169664c91fc822b6686806c018df5c2d

SHA256
b74bb17ed58c3949175b5c0f2afcb5107030b08a863c0650a9ca933ae34a6944

SHA512
d30441b58c0e6192e669f1ec2b41799a088ddc8860e50c2151ae817cb07547f7e4df3b5984a3aaf82838ff628ff39d083bcf22cc6b85ad3751fee1a3cdc16409

Download Submit
\Users\Admin\AppData\Local\Temp\ModsPack.exe
Filesize
205KB

MD5
be7caa55623b12b1eedc4065ea0448e9

SHA1
6adac34012f95232b12961e34ddace02beaeb4d8

SHA256
0d44972799c41fbeabeb1d539e6108a4e553f118951f5825626fe7e13785dc9e

SHA512
3b101a1f263204f7e0d09d03b51b3c19a52c59309818fc6ec0646a61b368c786939e9d45cb6303c8742a7c6a47594a2bbefbd835cada6b57ab02a18eb6b0c219

Download Submit
\Users\Admin\AppData\Local\Temp\clockamoddingtool.exe
Filesize
29KB

MD5
99513e6a542dda990564077a4295f3ae

SHA1
2e0dd1b6e1e1b0fe7489cced98ed5bbef5fccc46

SHA256
a463a392698a6502f64dfc092068b1ea880846ed24e261edf29f6546462fa7c9

SHA512
564a2d4404146cd91b4edc4acaed4c388457b97445d1cea7f5a9a41007c6feb170e8ae88704fc00eb4a33ea999db6c1d49af577405ee3729ed764bdf97507d9b

Download Submit
memory/436-148-0x0000000000CD0000-0x0000000000CFB000-memory.dmp

Filesize
172KB

Download
memory/436-149-0x000007FEBEDB0000-0x000007FEBEDC0000-memory.dmp

Filesize
64KB

Download
memory/436-109-0x0000000000AF0000-0x0000000000B14000-memory.dmp

Filesize
144KB

Download
memory/436-111-0x0000000000AF0000-0x0000000000B14000-memory.dmp

Filesize
144KB

Download
memory/436-150-0x0000000037980000-0x0000000037990000-memory.dmp

Filesize
64KB

Download
memory/480-157-0x000007FEBEDB0000-0x000007FEBEDC0000-memory.dmp

Filesize
64KB

Download
memory/480-156-0x00000000003F0000-0x000000000041B000-memory.dmp

Filesize
172KB

Download
memory/480-158-0x0000000037980000-0x0000000037990000-memory.dmp

Filesize
64KB

Download
memory/496-120-0x0000000037980000-0x0000000037990000-memory.dmp

Filesize
64KB

Download
memory/496-119-0x000007FEBEDB0000-0x000007FEBEDC0000-memory.dmp

Filesize
64KB

Download
memory/496-118-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/504-160-0x0000000000460000-0x000000000048B000-memory.dmp

Filesize
172KB

Download
memory/504-161-0x000007FEBEDB0000-0x000007FEBEDC0000-memory.dmp

Filesize
64KB

Download
memory/916-97-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download
memory/916-96-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1204-358-0x000000001A0D0000-0x000000001A3B2000-memory.dmp

Filesize
2.9MB

Download
memory/1204-359-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/1492-106-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-103-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-98-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-99-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-100-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-102-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1492-105-0x0000000077820000-0x000000007793F000-memory.dmp

Filesize
1.1MB

Download
memory/1492-104-0x0000000077940000-0x0000000077AE9000-memory.dmp

Filesize
1.7MB

Download
memory/2020-57-0x0000000000030000-0x000000000007A000-memory.dmp

Filesize
296KB

Download
memory/2616-56-0x0000000000EB0000-0x0000000000EE8000-memory.dmp

Filesize
224KB

Download
memory/2776-58-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download