gh0strat | b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2 (2).msi
Size

3.9MB
MD5

daa3ec4cd16303cd510f8c95ebbfb8fd
SHA1

304c9caf4edc41e9a0ecfd6115cc684f9e23a316
SHA256

65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a
SHA512

0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc
SSDEEP

98304:18+N9QHCaCS1B1a/OxyzH7usEdKMUWnVf3CYk4p20B7Kk:1NKvFB1aOAzH7u1c6pCYk9A9

Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2080-73-0x000000002BFB0000-0x000000002C16D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2080-73-0x000000002BFB0000-0x000000002C16D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade	ImCmkefCIwvS.exe
File created	C:\Program Files\MonitorAccentUpgrade\igc964.dll	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe	QMXzDrCWmwXRNKK.exe
File created	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\wegame.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe	QMXzDrCWmwXRNKK.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57add4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57add4.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD2C25DA2200B0C5C.TMP	msiexec.exe
File created	C:\Windows\Installer\e57add6.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6D8D3AE15D296947.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF00D02C00284838E1.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0741D0F8-F95F-408C-A996-D18BD8AAA38B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE80.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3724BD4D42C20EC3.TMP	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
4576	QMXzDrCWmwXRNKK.exe
2508	QMXzDrCWmwXRNKK.exe
5476	ImCmkefCIwvS.exe
1552	xUOZdwMgclhR.exe
224	wegame.exe
2080	ImCmkefCIwvS.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xUOZdwMgclhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000875cf36cf318fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000875cf36c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900875cf36c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d875cf36c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000875cf36c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ImCmkefCIwvS.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\ProductName = "MonitorAccentUpgrade"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Version = "134217730"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\PackageName = "luoma2 (2).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\PackageCode = "3AA3ACCE3DD344B46AF076DDE918A19D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3164	msiexec.exe
3164	msiexec.exe
2304	powershell.exe
2304	powershell.exe
5476	ImCmkefCIwvS.exe
5476	ImCmkefCIwvS.exe
224	wegame.exe
224	wegame.exe
224	wegame.exe
224	wegame.exe
2080	ImCmkefCIwvS.exe
2080	ImCmkefCIwvS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3464	msiexec.exe
Token: SeSecurityPrivilege	3164	msiexec.exe
Token: SeCreateTokenPrivilege	3464	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3464	msiexec.exe
Token: SeLockMemoryPrivilege	3464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3464	msiexec.exe
Token: SeMachineAccountPrivilege	3464	msiexec.exe
Token: SeTcbPrivilege	3464	msiexec.exe
Token: SeSecurityPrivilege	3464	msiexec.exe
Token: SeTakeOwnershipPrivilege	3464	msiexec.exe
Token: SeLoadDriverPrivilege	3464	msiexec.exe
Token: SeSystemProfilePrivilege	3464	msiexec.exe
Token: SeSystemtimePrivilege	3464	msiexec.exe
Token: SeProfSingleProcessPrivilege	3464	msiexec.exe
Token: SeIncBasePriorityPrivilege	3464	msiexec.exe
Token: SeCreatePagefilePrivilege	3464	msiexec.exe
Token: SeCreatePermanentPrivilege	3464	msiexec.exe
Token: SeBackupPrivilege	3464	msiexec.exe
Token: SeRestorePrivilege	3464	msiexec.exe
Token: SeShutdownPrivilege	3464	msiexec.exe
Token: SeDebugPrivilege	3464	msiexec.exe
Token: SeAuditPrivilege	3464	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3464	msiexec.exe
Token: SeChangeNotifyPrivilege	3464	msiexec.exe
Token: SeRemoteShutdownPrivilege	3464	msiexec.exe
Token: SeUndockPrivilege	3464	msiexec.exe
Token: SeSyncAgentPrivilege	3464	msiexec.exe
Token: SeEnableDelegationPrivilege	3464	msiexec.exe
Token: SeManageVolumePrivilege	3464	msiexec.exe
Token: SeImpersonatePrivilege	3464	msiexec.exe
Token: SeCreateGlobalPrivilege	3464	msiexec.exe
Token: SeBackupPrivilege	1236	vssvc.exe
Token: SeRestorePrivilege	1236	vssvc.exe
Token: SeAuditPrivilege	1236	vssvc.exe
Token: SeBackupPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe
Token: SeRestorePrivilege	3164	msiexec.exe
Token: SeTakeOwnershipPrivilege	3164	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3464	msiexec.exe
3464	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4544	3164	msiexec.exe	84
PID 3164 wrote to memory of 4544	3164	msiexec.exe	84
PID 3164 wrote to memory of 4600	3164	msiexec.exe	86
PID 3164 wrote to memory of 4600	3164	msiexec.exe	86
PID 4600 wrote to memory of 2304	4600	MsiExec.exe	88
PID 4600 wrote to memory of 2304	4600	MsiExec.exe	88
PID 4600 wrote to memory of 4576	4600	MsiExec.exe	90
PID 4600 wrote to memory of 4576	4600	MsiExec.exe	90
PID 4600 wrote to memory of 2508	4600	MsiExec.exe	92
PID 4600 wrote to memory of 2508	4600	MsiExec.exe	92
PID 4600 wrote to memory of 5476	4600	MsiExec.exe	94
PID 4600 wrote to memory of 5476	4600	MsiExec.exe	94
PID 4600 wrote to memory of 5476	4600	MsiExec.exe	94
PID 1552 wrote to memory of 224	1552	xUOZdwMgclhR.exe	96
PID 1552 wrote to memory of 224	1552	xUOZdwMgclhR.exe	96
PID 1552 wrote to memory of 224	1552	xUOZdwMgclhR.exe	96
PID 224 wrote to memory of 2080	224	wegame.exe	97
PID 224 wrote to memory of 2080	224	wegame.exe	97
PID 224 wrote to memory of 2080	224	wegame.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\luoma2 (2).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4544
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BD31747DDC67D0E4C36E99EC392DC677 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MonitorAccentUpgrade','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy." -key "]6!78DdiKjGuvOKWaXSe" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:4576
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb." -not "1_ImCmkefCIwvS.exe" -not "sss" -not "1_guXHBpJjoUzqOtpY.exe" -not "1_" -not "1_" -not "sa" -key "#2]52NyUPRyGSDcWankx" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:2508
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 106
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:5476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe
"C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Program Files\MonitorAccentUpgrade\wegame.exe
  "C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 72
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2080

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57add5.rbs

Filesize
7KB

MD5
72f40894ed4776e10c1fcf3f9f424525

SHA1
c71c389b80f62b6c13a48fe77d6001f5738de4cb

SHA256
690bb5944350bb3858b18bebb33ba42fdfe50a518d0d1751c033f82186c8e596

SHA512
50cd08a4935250b85b9011b60e7fe0821e758981a74443df2a26bc11b426fe2efa9580d26df34bc71739ac00725c658a9f97fdf84a5a17d8869ab2987ab5410e

Download Submit
C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe

Filesize
5.6MB

MD5
1dea5b679ece4af01ea4426b1c0b4f09

SHA1
eeb32377f13639260252982c332c70ba9742bde5

SHA256
66f6aedfbec41891470de9b6422bd1a11ae1505d3c3955013024d37019314454

SHA512
aec3c80c1d292be92dffde78abf3109e3e9838ae3ff4f0ab136814de357107157b092090b10ed793d2d27ed38674009ec0bc3d12415345701ce132bb1ebebd8d

Download Submit
C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe

Filesize
1.1MB

MD5
f0955f0293bcf104cedbd9bef3b9bf06

SHA1
9234781ec8fd66172afa50ffa37a3d0f9c1d3037

SHA256
7a94b4f1d6323a758c7b0b6344036f166bff0fd44f1c3c86f05b3688023496cb

SHA512
a4d53801689bf4f362ca86142b9bb2c2165e4e2b61937a4352963a1a78d8c7357da77ebe917c869ca8446e980fcdf0abb968253e8ce9218550ba447ad3a1101d

Download Submit
C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb

Filesize
3.3MB

MD5
e255d381e9d4a362b8fb7ad2cebfb0ee

SHA1
499bc663e9d1c14a2c93947d274885aaeb840ffe

SHA256
c1e288c75df5ca0bef1a881e2d541b886d29cb5e20809c78e4fe7fd803afec63

SHA512
5263e09e85c049b1ca9857f3fb5db768abba00b89ed68392bd4cb3bc543b89f110f626bafd2674904c1d24d2c0e65486434f72324e04174fdea3c7cceadc0117

Download Submit
C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy

Filesize
3.3MB

MD5
cd81710739119d66aff29d65f5277173

SHA1
f329860b20a53a0a336ef0e2ae2941a8c89d0b05

SHA256
3332efedf6d13e556ffc2247ac97c68f1199993537fae7827699e1d7d148cd22

SHA512
f3909ccae467420c6c471b516041041e8ddb758867c7f692ee395736212eedce0d5e0f689d88c46f1345e9adb2efc36983e7a67c1004bc390fdc3fe553a05c9b

Download Submit
C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe

Filesize
1.0MB

MD5
5831e9e77179c55d1f08ab5a0900cf36

SHA1
a75af16800b3d25e6ea63f75fdbe7b258d2b34a1

SHA256
62b96c419e1a403eb367304d0c8ff4f6856e8922a296dcafd5c7515746ebe143

SHA512
a046a809514f96ab8a23fcbc9de92221f1e91f984f985548c744881cf8f2cc8a408b498dfe0acf501ffc0155a5dfc60e364785f086f77bd1b7d48a13add9cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lz2djzi.wxo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57add4.msi

Filesize
3.9MB

MD5
daa3ec4cd16303cd510f8c95ebbfb8fd

SHA1
304c9caf4edc41e9a0ecfd6115cc684f9e23a316

SHA256
65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a

SHA512
0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
b37a7b36038ad00d91ff4388ea07430c

SHA1
f1664ffce5868baff819921b1a292c7f6bf423d4

SHA256
1f92182d847de12104cfc3b0b035d63a4f88d6747cdf67d0403ecb45d92be27b

SHA512
a8d6c7a7754068b51ee77b9c7597385a3f93be542277414559f9999f576170e2e8a7f201623a81f75b38c6e2827498a3e791e6924fe089580d5b6220a0d65feb

Download Submit
\??\Volume{6cf35c87-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c5a35702-e273-4603-b404-a0a2707e1fb9}_OnDiskSnapshotProp

Filesize
6KB

MD5
95395e73ec69042c93f1361614c5994f

SHA1
02d66da4676c39a4fbe2d65f112e11b18a63f0a1

SHA256
6f3287d930988f7ce810348b08f11130840c9e39ecc4ead13c0b18f51e3572f1

SHA512
8c8188fc49a29a57153168683d8614d9532a19d23609c5cac8d61f6284160b7e81fbc44281b25a59ddf62d510daeaada695d58efdb39295b2c22d0d74f4f17fa

Download Submit
memory/2080-70-0x000000002BB30000-0x000000002BB74000-memory.dmp

Filesize
272KB

Download
memory/2080-73-0x000000002BFB0000-0x000000002C16D000-memory.dmp

Filesize
1.7MB

Download
memory/2304-21-0x000001DDF7FB0000-0x000001DDF7FD2000-memory.dmp

Filesize
136KB

Download
memory/2508-38-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4576-29-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5476-61-0x00000000013D0000-0x00000000013FA000-memory.dmp

Filesize
168KB

Download