plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Fovupaevejy.exe

Loads dropped DLL 61 IoCs

pid	Process
1616	Install.tmp
4212	installer.exe
4212	installer.exe
4212	installer.exe
4460	MsiExec.exe
4460	MsiExec.exe
4272	rUNdlL32.eXe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
5668	MsiExec.exe
4212	installer.exe
5668	MsiExec.exe
5668	MsiExec.exe
5380	toolspab1.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe
5668	MsiExec.exe
1016	1CD0.exe
1016	1CD0.exe
1016	1CD0.exe
1016	1CD0.exe
1016	1CD0.exe
1016	1CD0.exe
2504	installer.exe
2504	installer.exe
2504	installer.exe
5212	MsiExec.exe
5212	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
3696	MsiExec.exe
2504	installer.exe
3696	MsiExec.exe
3696	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
5764	MsiExec.exe
3696	MsiExec.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Caetepobuhe.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hbggg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\S:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent B608D0D1776A67BD	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 4348	4036	svchost.exe	113
PID 4588 set thread context of 5380	4588	toolspab1.exe	143

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Caetepobuhe.exe.config	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files\Java\LRKLGAZWBK\ultramediaburner.exe	Ultra.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files\Java\LRKLGAZWBK\ultramediaburner.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-4B1OR.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-LD923.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Caetepobuhe.exe	Ultra.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4CB7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B9C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9728.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE16.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5251.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5290.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74867b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BCE.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC09D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB249.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAAB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4ABD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C97.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5221.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF03.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI5320.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9581.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI939C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA93D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C28.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5192.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C08.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACC9.tmp	msiexec.exe
File created	C:\Windows\Installer\f74867e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E10.tmp	msiexec.exe
File created	C:\Windows\Installer\f74867b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCAD.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5988	taskkill.exe
6016	taskkill.exe
2068	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{C6B5F909-458F-4FF8-BD66-2CCD43A15645}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "4972"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IY7880QH-GQ0R-SG6F-75Z5-PGQ2S76C3D6F}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 625d3a2a3b4ad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "25"	rUNdlL32.eXe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 70128f243b4ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}\1 = "1456"	svchost.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5816	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	ultramediaburner.tmp
740	ultramediaburner.tmp
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe
2324	Saloqehoce.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	Process not Found

Suspicious behavior: MapViewOfSection 51 IoCs

pid	Process
4592	MicrosoftEdgeCP.exe
4592	MicrosoftEdgeCP.exe
5380	toolspab1.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
6048	explorer.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
5672	explorer.exe
2680	Process not Found
2680	Process not Found
2680	Process not Found
2680	Process not Found
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2680	Process not Found
2680	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	Ultra.exe
Token: SeDebugPrivilege	2168	Fovupaevejy.exe
Token: SeDebugPrivilege	2324	Saloqehoce.exe
Token: SeDebugPrivilege	4396	MicrosoftEdge.exe
Token: SeDebugPrivilege	4396	MicrosoftEdge.exe
Token: SeDebugPrivilege	4396	MicrosoftEdge.exe
Token: SeDebugPrivilege	4396	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4232	msiexec.exe
Token: SeCreateTokenPrivilege	4212	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4212	installer.exe
Token: SeLockMemoryPrivilege	4212	installer.exe
Token: SeIncreaseQuotaPrivilege	4212	installer.exe
Token: SeMachineAccountPrivilege	4212	installer.exe
Token: SeTcbPrivilege	4212	installer.exe
Token: SeSecurityPrivilege	4212	installer.exe
Token: SeTakeOwnershipPrivilege	4212	installer.exe
Token: SeLoadDriverPrivilege	4212	installer.exe
Token: SeSystemProfilePrivilege	4212	installer.exe
Token: SeSystemtimePrivilege	4212	installer.exe
Token: SeProfSingleProcessPrivilege	4212	installer.exe
Token: SeIncBasePriorityPrivilege	4212	installer.exe
Token: SeCreatePagefilePrivilege	4212	installer.exe
Token: SeCreatePermanentPrivilege	4212	installer.exe
Token: SeBackupPrivilege	4212	installer.exe
Token: SeRestorePrivilege	4212	installer.exe
Token: SeShutdownPrivilege	4212	installer.exe
Token: SeDebugPrivilege	4212	installer.exe
Token: SeAuditPrivilege	4212	installer.exe
Token: SeSystemEnvironmentPrivilege	4212	installer.exe
Token: SeChangeNotifyPrivilege	4212	installer.exe
Token: SeRemoteShutdownPrivilege	4212	installer.exe
Token: SeUndockPrivilege	4212	installer.exe
Token: SeSyncAgentPrivilege	4212	installer.exe
Token: SeEnableDelegationPrivilege	4212	installer.exe
Token: SeManageVolumePrivilege	4212	installer.exe
Token: SeImpersonatePrivilege	4212	installer.exe
Token: SeCreateGlobalPrivilege	4212	installer.exe
Token: SeCreateTokenPrivilege	4212	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4212	installer.exe
Token: SeLockMemoryPrivilege	4212	installer.exe
Token: SeIncreaseQuotaPrivilege	4212	installer.exe
Token: SeMachineAccountPrivilege	4212	installer.exe
Token: SeTcbPrivilege	4212	installer.exe
Token: SeSecurityPrivilege	4212	installer.exe
Token: SeTakeOwnershipPrivilege	4212	installer.exe
Token: SeLoadDriverPrivilege	4212	installer.exe
Token: SeSystemProfilePrivilege	4212	installer.exe
Token: SeSystemtimePrivilege	4212	installer.exe
Token: SeProfSingleProcessPrivilege	4212	installer.exe
Token: SeIncBasePriorityPrivilege	4212	installer.exe
Token: SeCreatePagefilePrivilege	4212	installer.exe
Token: SeCreatePermanentPrivilege	4212	installer.exe
Token: SeBackupPrivilege	4212	installer.exe
Token: SeRestorePrivilege	4212	installer.exe
Token: SeShutdownPrivilege	4212	installer.exe
Token: SeDebugPrivilege	4212	installer.exe
Token: SeAuditPrivilege	4212	installer.exe
Token: SeSystemEnvironmentPrivilege	4212	installer.exe
Token: SeChangeNotifyPrivilege	4212	installer.exe
Token: SeRemoteShutdownPrivilege	4212	installer.exe
Token: SeUndockPrivilege	4212	installer.exe
Token: SeSyncAgentPrivilege	4212	installer.exe
Token: SeEnableDelegationPrivilege	4212	installer.exe
Token: SeManageVolumePrivilege	4212	installer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
740	ultramediaburner.tmp
4212	installer.exe
2504	installer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4396	MicrosoftEdge.exe
4592	MicrosoftEdgeCP.exe
4592	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2680	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1616	1852	Install.exe	75
PID 1852 wrote to memory of 1616	1852	Install.exe	75
PID 1852 wrote to memory of 1616	1852	Install.exe	75
PID 1616 wrote to memory of 3936	1616	Install.tmp	77
PID 1616 wrote to memory of 3936	1616	Install.tmp	77
PID 3936 wrote to memory of 3000	3936	Ultra.exe	80
PID 3936 wrote to memory of 3000	3936	Ultra.exe	80
PID 3936 wrote to memory of 3000	3936	Ultra.exe	80
PID 3000 wrote to memory of 740	3000	ultramediaburner.exe	81
PID 3000 wrote to memory of 740	3000	ultramediaburner.exe	81
PID 3000 wrote to memory of 740	3000	ultramediaburner.exe	81
PID 3936 wrote to memory of 2168	3936	Ultra.exe	82
PID 3936 wrote to memory of 2168	3936	Ultra.exe	82
PID 740 wrote to memory of 1820	740	ultramediaburner.tmp	83
PID 740 wrote to memory of 1820	740	ultramediaburner.tmp	83
PID 3936 wrote to memory of 2324	3936	Ultra.exe	84
PID 3936 wrote to memory of 2324	3936	Ultra.exe	84
PID 2324 wrote to memory of 4204	2324	Saloqehoce.exe	88
PID 2324 wrote to memory of 4204	2324	Saloqehoce.exe	88
PID 4204 wrote to memory of 4344	4204	cmd.exe	90
PID 4204 wrote to memory of 4344	4204	cmd.exe	90
PID 4204 wrote to memory of 4344	4204	cmd.exe	90
PID 2324 wrote to memory of 4976	2324	Saloqehoce.exe	93
PID 2324 wrote to memory of 4976	2324	Saloqehoce.exe	93
PID 4976 wrote to memory of 4212	4976	cmd.exe	95
PID 4976 wrote to memory of 4212	4976	cmd.exe	95
PID 4976 wrote to memory of 4212	4976	cmd.exe	95
PID 2324 wrote to memory of 4264	2324	Saloqehoce.exe	96
PID 2324 wrote to memory of 4264	2324	Saloqehoce.exe	96
PID 4264 wrote to memory of 4496	4264	cmd.exe	98
PID 4264 wrote to memory of 4496	4264	cmd.exe	98
PID 4264 wrote to memory of 4496	4264	cmd.exe	98
PID 4496 wrote to memory of 4584	4496	hbggg.exe	115
PID 4496 wrote to memory of 4584	4496	hbggg.exe	115
PID 4496 wrote to memory of 4584	4496	hbggg.exe	115
PID 2324 wrote to memory of 3120	2324	Saloqehoce.exe	105
PID 2324 wrote to memory of 3120	2324	Saloqehoce.exe	105
PID 4232 wrote to memory of 4460	4232	msiexec.exe	107
PID 4232 wrote to memory of 4460	4232	msiexec.exe	107
PID 4232 wrote to memory of 4460	4232	msiexec.exe	107
PID 3120 wrote to memory of 4604	3120	cmd.exe	108
PID 3120 wrote to memory of 4604	3120	cmd.exe	108
PID 3120 wrote to memory of 4604	3120	cmd.exe	108
PID 2324 wrote to memory of 4696	2324	Saloqehoce.exe	109
PID 2324 wrote to memory of 4696	2324	Saloqehoce.exe	109
PID 4696 wrote to memory of 4256	4696	cmd.exe	111
PID 4696 wrote to memory of 4256	4696	cmd.exe	111
PID 4696 wrote to memory of 4256	4696	cmd.exe	111
PID 4604 wrote to memory of 4272	4604	google-game.exe	112
PID 4604 wrote to memory of 4272	4604	google-game.exe	112
PID 4604 wrote to memory of 4272	4604	google-game.exe	112
PID 4272 wrote to memory of 4036	4272	rUNdlL32.eXe	49
PID 4036 wrote to memory of 4348	4036	svchost.exe	113
PID 4036 wrote to memory of 4348	4036	svchost.exe	113
PID 4272 wrote to memory of 2560	4272	rUNdlL32.eXe	15
PID 4036 wrote to memory of 4348	4036	svchost.exe	113
PID 4272 wrote to memory of 68	4272	rUNdlL32.eXe	57
PID 4272 wrote to memory of 2224	4272	rUNdlL32.eXe	24
PID 4212 wrote to memory of 4424	4212	installer.exe	114
PID 4212 wrote to memory of 4424	4212	installer.exe	114
PID 4212 wrote to memory of 4424	4212	installer.exe	114
PID 4272 wrote to memory of 2236	4272	rUNdlL32.eXe	23
PID 4256 wrote to memory of 4428	4256	huesaa.exe	116
PID 4256 wrote to memory of 4428	4256	huesaa.exe	116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\is-TPBLU.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TPBLU.tmp\Install.tmp" /SL5="$801DA,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\is-4PSNO.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-4PSNO.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Program Files\Java\LRKLGAZWBK\ultramediaburner.exe
      "C:\Program Files\Java\LRKLGAZWBK\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\is-BK3QF.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BK3QF.tmp\ultramediaburner.tmp" /SL5="$130052,281924,62464,C:\Program Files\Java\LRKLGAZWBK\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\e9-2ebee-314-4e4a7-0bd01eb4191a9\Fovupaevejy.exe
      "C:\Users\Admin\AppData\Local\Temp\e9-2ebee-314-4e4a7-0bd01eb4191a9\Fovupaevejy.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\34-d280d-edf-65c9d-ec3c671abfc4c\Saloqehoce.exe
      "C:\Users\Admin\AppData\Local\Temp\34-d280d-edf-65c9d-ec3c671abfc4c\Saloqehoce.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gnwnwgo2.saw\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\gnwnwgo2.saw\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\gnwnwgo2.saw\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0jl0sedk.wd0\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\0jl0sedk.wd0\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\0jl0sedk.wd0\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0jl0sedk.wd0\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0jl0sedk.wd0\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1620900303 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:4424
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2iv4q4iz.oqe\hbggg.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Users\Admin\AppData\Local\Temp\2iv4q4iz.oqe\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\2iv4q4iz.oqe\hbggg.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5316
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g42yehsx.43o\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\g42yehsx.43o\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\g42yehsx.43o\google-game.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpwuw0bn.igf\huesaa.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\cpwuw0bn.igf\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\cpwuw0bn.igf\huesaa.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wmk0glw5.ptu\setup.exe & exit
        5⤵
        
        PID:2268
      - C:\Users\Admin\AppData\Local\Temp\wmk0glw5.ptu\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\wmk0glw5.ptu\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\wmk0glw5.ptu\setup.exe"
        7⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xs4rnpmv.54k\askinstall39.exe & exit
        5⤵
        
        PID:5464
      - C:\Users\Admin\AppData\Local\Temp\xs4rnpmv.54k\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\xs4rnpmv.54k\askinstall39.exe
        6⤵
        Executes dropped EXE
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ga0pqkgw.0q0\customer1.exe & exit
        5⤵
        
        PID:5832
      - C:\Users\Admin\AppData\Local\Temp\ga0pqkgw.0q0\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\ga0pqkgw.0q0\customer1.exe
        6⤵
        Executes dropped EXE
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zhogonux.oss\toolspab1.exe & exit
        5⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\zhogonux.oss\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zhogonux.oss\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\zhogonux.oss\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\zhogonux.oss\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5380
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5fqtrqfd.hxt\GcleanerWW.exe /mixone & exit
        5⤵
        Executes dropped EXE
        
        PID:5640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bh3fkato.ek1\005.exe & exit
        5⤵
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\bh3fkato.ek1\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\bh3fkato.ek1\005.exe
        6⤵
        Executes dropped EXE
        
        PID:5284
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\clyzp14s.3kl\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:504
      - C:\Users\Admin\AppData\Local\Temp\clyzp14s.3kl\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\clyzp14s.3kl\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:2504
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\clyzp14s.3kl\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\clyzp14s.3kl\ EXE_CMD_LINE="/forcecleanup /wintime 1620900303 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:3380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1196

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:4348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:68

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DAEF5E23E11ED0E25CEACF977D0FA4B C
  2⤵
  - Loads dropped DLL
  PID:4460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4A3F863EC6C8877CAC445DD1A70A33B5
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5668
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5988
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A49157291EDDBF737815340337AB0C32 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2AD4F4B40D193D5EE93C90A9C9E198C5 C
  2⤵
  - Loads dropped DLL
  PID:5212
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 16D14AA9E3C8297788D9BF069CDC00CA
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3696
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 10C9E9D6A93AFCB5B4EC244B6C1B1409 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5708

C:\Users\Admin\AppData\Local\Temp\1CD0.exe
C:\Users\Admin\AppData\Local\Temp\1CD0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3488

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery