floxif | 425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8

Analysis

max time kernel
78s
max time network
37s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Size

834KB
MD5

1a6643d549ed0d834a82f90c6db49a70
SHA1

29fbf25ecceecef74f1167637215d97f72989926
SHA256

425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8
SHA512

3d5e771b1f240b8a54563b4aa1e907eeb5f84e79574d80cb700879055aae149a6ed8a4197386a40677f1527397805b5ed4b01e3babe22126dcc8ac21d1aac703
SSDEEP

12288:3Swwn4oOZcaQYn3htObKmmOo3/UuSLekt0YAwgeKBjvrEH75:3Re4oG3hAU3/U/Lekt0YAwge8rEH75

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	floxif

Manipulates Digital Signatures 1 TTPs 5 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 0b000000010000000e0000006c00690062007700640069000000030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 0f0000000100000014000000482b1bde5bb33725cf8c11d9792188f52f3a80c9030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547130b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc88315471302000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2704	installer_x64.exe

Loads dropped DLL 6 IoCs

pid	Process
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
2860	Process not Found

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	installer_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\libusb0.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\x86\SET52F2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\SET52F3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\SET5304.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\x86	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\x86\libusb0_x86.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\your_file.inf_amd64_neutral_02684de87cfe5d53\your_file.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	installer_x64.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\SET5304.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	installer_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\SET52F1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\SET52F3.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\your_file.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\your_file.inf_amd64_neutral_02684de87cfe5d53\your_file.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	installer_x64.exe
File opened for modification	C:\Windows\System32\GroupPolicy	installer_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\SET52F0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\SET52F0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\SET52F1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\amd64\libusb0.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\x86\SET52F2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	installer_x64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}\your_file.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1f5209a2-e830-23cc-dc61-0f782aa1a74e}	DrvInst.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012263-1.dat	upx
behavioral1/memory/1704-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1704-11-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1704-22-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1704-53-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1704-170-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	installer_x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 0b000000010000000e0000006c00690062007700640069000000030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc88315471302000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc88315471302000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e006500720000000000000000000b000000010000000e0000006c006900620077006400690000002000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 0f0000000100000014000000482b1bde5bb33725cf8c11d9792188f52f3a80c90b000000010000000e0000006c0069006200770064006900000002000000010000004c0000001c0000000000000001000000200000000000000000000000020000006c006900620077006400690020006b0065007900200063006f006e007400610069006e00650072000000000000000000030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\090F6804D49DD10B3F71A9F48470ADC883154713\Blob = 0b000000010000000e0000006c00690062007700640069000000030000000100000014000000090f6804d49dd10b3f71a9f48470adc8831547132000000001000000cc020000308202c830820231a00302010202101319ed401db8dbba461a762bb99d725b300d06092a864886f70d010105050030633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e0065007200610074006500640029301e170d3235303130333232323831315a170d3239303130313030303030305a30633161305f06035504031e58005500530042005c005600490044005f00310032004100420026005000490044005f003100320041004200200028006c006900620077006400690020006100750074006f00670065006e006500720061007400650064002930819f300d06092a864886f70d010101050003818d0030818902818100ba3b5d7b15c54c3581df4f61e6ebc71ba1b5d0de06518fec5ffc37608bd123f0403d3243e2765df4bfb53ce280bf4dc9e58cf93ac765998279fb7da4f810d38a32ce78c639b00ac59c61a4c28aac6c35f9a98f51fbe64211d2f72a36fd058131f0388f8e011605bb8b8c87ea99ec71a881a6c76b51b1a8c5fd47059ffd2775630203010001a37d307b30160603551d250101ff040c300a06082b0601050507030330200603551d07041930178615687474703a2f2f6c69627764692e616b656f2e6965303f0603551d2004383036303406082b060105050702013028302606082b06010505070201161a687474703a2f2f6c69627764692d6370732e616b656f2e696500300d06092a864886f70d0101050500038181000beaa18be4b5b354648da032f8570c9e7f4828137570749396307de94f52926c6d28d0f05913a510a24e28f2d47e144b3c2cdfd80c185fd2e84bbef7f0e8654e5365d4f95f123091ba362ee7b1686037864c0295a901262e09067f4fd3e4222bd443cfa30fd33c0038de4cb20e89771c8ef8bb2540d00fafa1109d8d31a1ba7e	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeRestorePrivilege	1396	DrvInst.exe
Token: SeLoadDriverPrivilege	2704	installer_x64.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeRestorePrivilege	3064	DrvInst.exe
Token: SeLoadDriverPrivilege	3064	DrvInst.exe
Token: SeLoadDriverPrivilege	3064	DrvInst.exe
Token: SeLoadDriverPrivilege	3064	DrvInst.exe
Token: SeLoadDriverPrivilege	3064	DrvInst.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2704	1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe	33
PID 1704 wrote to memory of 2704	1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe	33
PID 1704 wrote to memory of 2704	1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe	33
PID 1704 wrote to memory of 2704	1704	425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe	33

C:\Users\Admin\AppData\Local\Temp\425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe
"C:\Users\Admin\AppData\Local\Temp\425296353f916d4cc81a600dc611268cbb53fe46d02cdad5955cac9628c755d8.exe"
1⤵
- Manipulates Digital Signatures
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\Documents\installer_x64.exe
  C:\Users\Admin\Documents\installer_x64.exe your_file.inf
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0669ac00-328b-699c-b67b-611e0199f453}\your_file.inf" "9" "6a6f3eb03" "0000000000000498" "WinSta0\Default" "00000000000005BC" "208" "C:\Users\Admin\Documents"
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "ACPI\QEMU0002\3&11583659&0" "" "" "66f22ec5b" "00000000000005BC" "00000000000003E0" "00000000000005CC"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{6297e47e-0ae6-4f46-bfd8-aa90f02cdb17} "(null)"
1⤵
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{0669ac00-328b-699c-b67b-611e0199f453}\amd64\libusb0.sys

Filesize
51KB

MD5
16e18ced459b1824234890386ee66cd5

SHA1
81d2b572ec0d24aba11ed6bfa9174ffad54140b7

SHA256
8058f2afe6ef96a7d2ded432997fd8655970c9ea75a938ee4557d6a2cb4cc989

SHA512
b0e67d040d39f043305b0c172906bbea8341f1326108f5c5a0379cd6b287d62cbd86270385713d0f6a14c5106a5a6c23f6247a303e6124cb3e33982978505c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0669ac00-328b-699c-b67b-611e0199f453}\x86\libusb0_x86.dll

Filesize
66KB

MD5
535779909a40b42f4f3e48598f5778a5

SHA1
3a238468009a6dea3e4f70821339185e56ea3b69

SHA256
00caca07869b19d10b370552ac7cc2f6f2ee246fc15db11650f6cd3f4ef9b666

SHA512
723b42c3df960f031343b9bb74a55ab874cd1f740a187a58bfecdad78876dd227392f18f6faea33e743593511a12635ef6419bb68d4361c6631584ebc8838e80

Download Submit
C:\Users\Admin\DOCUME~1\amd64\libusb0.dll

Filesize
74KB

MD5
1d8215f7f8cd02a553499b534ccfb4d5

SHA1
bab236f840f1521c43bcbaa2a7b92f14f329bc70

SHA256
4f18b5d2c28aa66b648c8683c6d09b52b92cbbee85984bbefad5f38a64bc2a14

SHA512
79ef4b25f16b2f2f37605298470ba9c4600e724e4b52d589add7d48816f656b93c082b5c65669e50e0546865063a068d26390e6ec7fbab66c3726e49a3779d69

Download Submit
C:\Users\Admin\Documents\your_file.cat

Filesize
4KB

MD5
c71ab3c049c8e24b63372a71671ac2bf

SHA1
67bd472e90f6387c76e6d2763b8a5f9520987da9

SHA256
d91e463588fb5f1c248b276b1c1edea3e6ff24083dba55a33f60d64ce5a7e0a1

SHA512
664226093ca3c90cc634580fe1acbe4cc930a81c4c205b80c61d99dd769ded63e209088dd1da6edadc00b1627ca8c73b86d318c18e5e8894fb8d1c182256e3ea

Download Submit
C:\Users\Admin\Documents\your_file.inf

Filesize
7KB

MD5
b0115edcfcce81ba12f9d66ea3ad655d

SHA1
e824b15e4b8f6db026c5691bb5166a947e2ab12c

SHA256
e69794bed1681e5a052ef519a83929e0b506a46acf91695daf432941671b4fde

SHA512
daedf2ec3334ef864b26d2d757b0c313118ec8cfeb0b6bc25f1b0a3754c508a62c4961ec7010e3af1747cd8daa435ed143104072f74c1a2d20aec94a828099d9

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
1078cd53094a96752648f1a8bb8c82e8

SHA1
a1772db5928f746dadd575bc6a758a450d8fa6d4

SHA256
4e421f689068c4e6fe2314ed2ea0c1a2a0e1c9d43016557488f69338b4e2938a

SHA512
f1d27cfa6f68218a5e05b7aec40fcc668dc714fb1fad834fd3727623a50cac1dc0cb55148f366d1d98b5c968d39d0fbafd274b07410f9528070eb81ae11a2709

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
f9a49a3e2415016fa85ddff0b8b38419

SHA1
f8c987119269e58d22a6b17ae2e8eca7744fb385

SHA256
14694dbee3897b6bd5aa596ebfd893e727179b67811920c174dc70e6eee8e579

SHA512
91ea129a51d2c3b342287c1250f5b0da6ba2a61eff11791d1cfae1f5c6dd2654c935be1452f4a681e794fd723a3c295e9bc9e59b9005aa4d8bd55ed36c9ad91c

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\libusb0.sys

Filesize
41KB

MD5
c8c9800179af00c90629514e30873d80

SHA1
9438573aee178c68f49bfa5ad71132d06c4dfa9b

SHA256
aa7d75a4d01b405aab7c848674bbed392b64c6e374e20fd72adc3c96294e2f00

SHA512
1db533b4ed8e4ae2ff55ef8b93b9186e30f8711e91bf07051c70423bac76d8ef29ebe578483029f83dcb619f94fd8abf453aab78328a876fc88188671be522c2

Download Submit
\Users\Admin\Documents\installer_x64.exe

Filesize
24KB

MD5
4781fd8602709818be5725872bf05081

SHA1
747f3ebf9c91d9d704f860203f8e0fb0eb29250d

SHA256
46ae5cf5110626589c1d1688ef9d7fdf6e57983f97fd554b9a6179ad57a533d4

SHA512
6bf77032c9b4a41148b2d24d799ae68e0a05abd864b8e77df2338b0400ff04c64d9baf81f67cbddd5078e4f59801bdd2d644ceb9653a16779d3a877354589d25

Download Submit
memory/1704-20-0x00000000044A0000-0x00000000044A2000-memory.dmp

Filesize
8KB

Download
memory/1704-53-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1704-52-0x0000000000740000-0x0000000000800000-memory.dmp

Filesize
768KB

Download
memory/1704-22-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1704-21-0x0000000000740000-0x0000000000800000-memory.dmp

Filesize
768KB

Download
memory/1704-23-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/1704-14-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/1704-10-0x0000000000740000-0x0000000000800000-memory.dmp

Filesize
768KB

Download
memory/1704-11-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1704-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1704-170-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1704-169-0x0000000000740000-0x0000000000800000-memory.dmp

Filesize
768KB

Download