plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Gywuzhylicy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	jfiag3g_gg.exe

Loads dropped DLL 63 IoCs

pid	Process
3628	rundll32.exe
192	Install.tmp
4752	installer.exe
4752	installer.exe
4752	installer.exe
5756	MsiExec.exe
5756	MsiExec.exe
5440	rUNdlL32.eXe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
2076	MsiExec.exe
4752	installer.exe
2076	MsiExec.exe
2076	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
5644	MsiExec.exe
2076	MsiExec.exe
4696	toolspab1.exe
6120	installer.exe
6120	installer.exe
6120	installer.exe
5024	MsiExec.exe
5024	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6140	MsiExec.exe
6120	installer.exe
6140	MsiExec.exe
6140	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
5144	MsiExec.exe
6140	MsiExec.exe
5584	950D.exe
5584	950D.exe
5584	950D.exe
5584	950D.exe
5584	950D.exe
5584	950D.exe
4264	ugddcae

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Becibaemoli.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hbggg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	ip-api.com

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 0CDE0FC9DA8F23AE	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3852 set thread context of 3132	3852	svchost.exe	80
PID 3852 set thread context of 3716	3852	svchost.exe	86
PID 4824 set thread context of 4696	4824	toolspab1.exe	157
PID 216 set thread context of 4264	216	ugddcae	188

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\libEGL.dll	xiuhuali.exe
File created	C:\Program Files\Windows Sidebar\MUNCHQVVOV\ultramediaburner.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files\install.dll	xiuhuali.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files\Windows Sidebar\MUNCHQVVOV\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Becibaemoli.exe.config	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Becibaemoli.exe	Ultra.exe
File created	C:\Program Files\install.dat	xiuhuali.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-91OR8.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-S8PQ0.tmp	ultramediaburner.tmp

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA891.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCF4.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA158.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB69B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA225.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5CC.tmp	msiexec.exe
File created	C:\Windows\Installer\f749986.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB961.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCD4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB864.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC44.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB465.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E39.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB853.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB329.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIBB96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC64.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB493.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f749986.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB378.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB971.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD54.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB21E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB66B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB63C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3C7.tmp	msiexec.exe
File created	C:\Windows\Installer\f749989.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB65C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB921.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA302.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugddcae
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugddcae
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ugddcae

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5084	taskkill.exe
4800	taskkill.exe
4424	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "3432"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "3832"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{78D348A4-CFBC-428D-8DB6-B9EF64FAE903} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 73ce8dd0ee48d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "jdf4ne9"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000048afe9aaeab0d01f3af87322bd3eb14e8816f4e41e8beb6a6739b5f1950a78fa1103401391d566d0122a6660c4c85e80bb18defe33a403c19d8d85f8982cbde8ac3b96d4394bd11d1c695f20b867134b24f89d2100344c9a459b	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 27db95cfee48d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "1836"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	filee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	filee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3380	PING.EXE
6116	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3628	rundll32.exe
3628	rundll32.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
736	ultramediaburner.tmp
736	ultramediaburner.tmp
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe
4112	Faboqugyfa.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
4956	MicrosoftEdgeCP.exe
4956	MicrosoftEdgeCP.exe
4696	toolspab1.exe
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
1700	Process not Found
4264	ugddcae

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeTcbPrivilege	3852	svchost.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3700	JoSetp.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	3628	rundll32.exe
Token: SeDebugPrivilege	1468	Ultra.exe
Token: SeTcbPrivilege	3852	svchost.exe
Token: SeAuditPrivilege	2364	svchost.exe
Token: SeDebugPrivilege	4112	Faboqugyfa.exe
Token: SeDebugPrivilege	3168	Gywuzhylicy.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe
Token: SeShutdownPrivilege	2692	svchost.exe
Token: SeSystemEnvironmentPrivilege	2692	svchost.exe
Token: SeUndockPrivilege	2692	svchost.exe
Token: SeManageVolumePrivilege	2692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2692	svchost.exe
Token: SeIncreaseQuotaPrivilege	2692	svchost.exe
Token: SeSecurityPrivilege	2692	svchost.exe
Token: SeTakeOwnershipPrivilege	2692	svchost.exe
Token: SeLoadDriverPrivilege	2692	svchost.exe
Token: SeSystemtimePrivilege	2692	svchost.exe
Token: SeBackupPrivilege	2692	svchost.exe
Token: SeRestorePrivilege	2692	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
736	ultramediaburner.tmp
4752	installer.exe
6120	installer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2400	xiuhuali.exe
2400	xiuhuali.exe
4692	MicrosoftEdge.exe
4848	cmd.exe
4956	MicrosoftEdgeCP.exe
4956	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1700	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2400	2232	keygen-step-4d.exe	75
PID 2232 wrote to memory of 2400	2232	keygen-step-4d.exe	75
PID 2232 wrote to memory of 2400	2232	keygen-step-4d.exe	75
PID 2400 wrote to memory of 3628	2400	xiuhuali.exe	78
PID 2400 wrote to memory of 3628	2400	xiuhuali.exe	78
PID 2400 wrote to memory of 3628	2400	xiuhuali.exe	78
PID 2232 wrote to memory of 3700	2232	keygen-step-4d.exe	79
PID 2232 wrote to memory of 3700	2232	keygen-step-4d.exe	79
PID 3628 wrote to memory of 3852	3628	rundll32.exe	71
PID 3852 wrote to memory of 3132	3852	svchost.exe	80
PID 3852 wrote to memory of 3132	3852	svchost.exe	80
PID 3628 wrote to memory of 2596	3628	rundll32.exe	31
PID 3852 wrote to memory of 3132	3852	svchost.exe	80
PID 3628 wrote to memory of 1000	3628	rundll32.exe	62
PID 3628 wrote to memory of 2380	3628	rundll32.exe	35
PID 3628 wrote to memory of 2364	3628	rundll32.exe	36
PID 3628 wrote to memory of 1164	3628	rundll32.exe	10
PID 3628 wrote to memory of 1040	3628	rundll32.exe	59
PID 3628 wrote to memory of 1416	3628	rundll32.exe	51
PID 3628 wrote to memory of 1852	3628	rundll32.exe	43
PID 3628 wrote to memory of 1204	3628	rundll32.exe	54
PID 3628 wrote to memory of 1396	3628	rundll32.exe	11
PID 3628 wrote to memory of 2692	3628	rundll32.exe	26
PID 3628 wrote to memory of 2672	3628	rundll32.exe	27
PID 2232 wrote to memory of 1676	2232	keygen-step-4d.exe	81
PID 2232 wrote to memory of 1676	2232	keygen-step-4d.exe	81
PID 2232 wrote to memory of 1676	2232	keygen-step-4d.exe	81
PID 1676 wrote to memory of 192	1676	Install.exe	82
PID 1676 wrote to memory of 192	1676	Install.exe	82
PID 1676 wrote to memory of 192	1676	Install.exe	82
PID 192 wrote to memory of 1468	192	Install.tmp	85
PID 192 wrote to memory of 1468	192	Install.tmp	85
PID 3852 wrote to memory of 3716	3852	svchost.exe	86
PID 3852 wrote to memory of 3716	3852	svchost.exe	86
PID 3852 wrote to memory of 3716	3852	svchost.exe	86
PID 1468 wrote to memory of 1096	1468	Ultra.exe	88
PID 1468 wrote to memory of 1096	1468	Ultra.exe	88
PID 1468 wrote to memory of 1096	1468	Ultra.exe	88
PID 1096 wrote to memory of 736	1096	ultramediaburner.exe	89
PID 1096 wrote to memory of 736	1096	ultramediaburner.exe	89
PID 1096 wrote to memory of 736	1096	ultramediaburner.exe	89
PID 736 wrote to memory of 3144	736	ultramediaburner.tmp	90
PID 736 wrote to memory of 3144	736	ultramediaburner.tmp	90
PID 1468 wrote to memory of 3168	1468	Ultra.exe	91
PID 1468 wrote to memory of 3168	1468	Ultra.exe	91
PID 1468 wrote to memory of 4112	1468	Ultra.exe	92
PID 1468 wrote to memory of 4112	1468	Ultra.exe	92
PID 2232 wrote to memory of 4260	2232	keygen-step-4d.exe	94
PID 2232 wrote to memory of 4260	2232	keygen-step-4d.exe	94
PID 2232 wrote to memory of 4260	2232	keygen-step-4d.exe	94
PID 4112 wrote to memory of 4848	4112	Faboqugyfa.exe	99
PID 4112 wrote to memory of 4848	4112	Faboqugyfa.exe	99
PID 4112 wrote to memory of 4864	4112	Faboqugyfa.exe	100
PID 4112 wrote to memory of 4864	4112	Faboqugyfa.exe	100
PID 4260 wrote to memory of 4972	4260	filee.exe	103
PID 4260 wrote to memory of 4972	4260	filee.exe	103
PID 4260 wrote to memory of 4972	4260	filee.exe	103
PID 4864 wrote to memory of 4108	4864	cmd.exe	105
PID 4864 wrote to memory of 4108	4864	cmd.exe	105
PID 4864 wrote to memory of 4108	4864	cmd.exe	105
PID 4972 wrote to memory of 3380	4972	cmd.exe	148
PID 4972 wrote to memory of 3380	4972	cmd.exe	148
PID 4972 wrote to memory of 3380	4972	cmd.exe	148
PID 4112 wrote to memory of 4136	4112	Faboqugyfa.exe	107

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1040
- C:\Users\Admin\AppData\Roaming\ugddcae
  C:\Users\Admin\AppData\Roaming\ugddcae
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:216
- - C:\Users\Admin\AppData\Roaming\ugddcae
    C:\Users\Admin\AppData\Roaming\ugddcae
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\is-C9D17.tmp\Install.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-C9D17.tmp\Install.tmp" /SL5="$50056,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:192
  - - C:\Users\Admin\AppData\Local\Temp\is-O4DC7.tmp\Ultra.exe
      "C:\Users\Admin\AppData\Local\Temp\is-O4DC7.tmp\Ultra.exe" /S /UID=burnerch1
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Program Files\Windows Sidebar\MUNCHQVVOV\ultramediaburner.exe
        
        "C:\Program Files\Windows Sidebar\MUNCHQVVOV\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\is-O8UD4.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O8UD4.tmp\ultramediaburner.tmp" /SL5="$601FA,281924,62464,C:\Program Files\Windows Sidebar\MUNCHQVVOV\ultramediaburner.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        7⤵
        Executes dropped EXE
        
        PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\5c-bea3c-eba-b4991-923ee72f7c29f\Gywuzhylicy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5c-bea3c-eba-b4991-923ee72f7c29f\Gywuzhylicy.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\c7-b7b94-c25-b42b7-f5133574136a0\Faboqugyfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c7-b7b94-c25-b42b7-f5133574136a0\Faboqugyfa.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zpxhqm1u.awt\ebook.exe & exit
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4euo2ta2.40x\001.exe & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\4euo2ta2.40x\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\4euo2ta2.40x\001.exe
        7⤵
        Executes dropped EXE
        
        PID:4108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1kox525o.axq\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\1kox525o.axq\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\1kox525o.axq\installer.exe /qn CAMPAIGN="654"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4752
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1kox525o.axq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1kox525o.axq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1620757564 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:6008
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vp2zxkdx.ohe\hbggg.exe & exit
        6⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\vp2zxkdx.ohe\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\vp2zxkdx.ohe\hbggg.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:2180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jzes4jr3.2hi\google-game.exe & exit
        6⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\jzes4jr3.2hi\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\jzes4jr3.2hi\google-game.exe
        7⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        8⤵
        Loads dropped DLL
        
        PID:5440
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a0434dq2.lm1\huesaa.exe & exit
        6⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\a0434dq2.lm1\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\a0434dq2.lm1\huesaa.exe
        7⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:3380
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\npecmki2.jcp\setup.exe & exit
        6⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\npecmki2.jcp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\npecmki2.jcp\setup.exe
        7⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\npecmki2.jcp\setup.exe"
        8⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:6116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x33t0e20.eqy\askinstall39.exe & exit
        6⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\x33t0e20.eqy\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\x33t0e20.eqy\askinstall39.exe
        7⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:4800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\upbqvbei.kym\customer1.exe & exit
        6⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\upbqvbei.kym\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\upbqvbei.kym\customer1.exe
        7⤵
        Executes dropped EXE
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        Executes dropped EXE
        
        PID:5764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2oev1rek.tk4\toolspab1.exe & exit
        6⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\2oev1rek.tk4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2oev1rek.tk4\toolspab1.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\2oev1rek.tk4\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2oev1rek.tk4\toolspab1.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:4696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\24zi5dtm.udy\GcleanerWW.exe /mixone & exit
        6⤵
        
        PID:5372
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mvkaizzk.ill\005.exe & exit
        6⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\mvkaizzk.ill\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\mvkaizzk.ill\005.exe
        7⤵
        Executes dropped EXE
        
        PID:5536
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uuufcrwq.i20\installer.exe /qn CAMPAIGN="654" & exit
        6⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\uuufcrwq.i20\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\uuufcrwq.i20\installer.exe /qn CAMPAIGN="654"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:6120
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\uuufcrwq.i20\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\uuufcrwq.i20\ EXE_CMD_LINE="/forcecleanup /wintime 1620757564 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        8⤵
        
        PID:2124
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3380
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:424
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
  2⤵
  - Executes dropped EXE
  PID:5972
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:6084
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:5072

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:3132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:3716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B3A15F3FD415F03CB4D269E7123DBEEC C
  2⤵
  - Loads dropped DLL
  PID:5756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB06C5AB9C2FC958A373333628EE0BE7
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2076
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3A8A10047EBAB93A817B6765523A961C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FEE73F10DF8E2B6551D0924592E6B6BC C
  2⤵
  - Loads dropped DLL
  PID:5024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A408BC3DBA6EF61BB76F2CF8292F259C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6140
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 355481A7E006D0F84923C9113E31AC02 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5144

C:\Users\Admin\AppData\Local\Temp\950D.exe
C:\Users\Admin\AppData\Local\Temp\950D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5584

C:\Users\Admin\AppData\Local\Temp\9A6D.exe
C:\Users\Admin\AppData\Local\Temp\9A6D.exe
1⤵
- Executes dropped EXE
PID:5608

C:\Users\Admin\AppData\Local\Temp\A29C.exe
C:\Users\Admin\AppData\Local\Temp\A29C.exe
1⤵
- Executes dropped EXE
PID:5684

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:652

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5360

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5976

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5400

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3276

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery