plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Lewukadike.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	google-game.exe

Loads dropped DLL 64 IoCs

pid	Process
1916	Install.tmp
1660	installer.exe
1660	installer.exe
1660	installer.exe
2872	MsiExec.exe
2872	MsiExec.exe
5308	rUNdlL32.eXe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
5596	MsiExec.exe
1660	installer.exe
5596	MsiExec.exe
5596	MsiExec.exe
2216	toolspab1.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
2308	MsiExec.exe
5596	MsiExec.exe
1776	installer.exe
1776	installer.exe
1776	installer.exe
5896	MsiExec.exe
5896	MsiExec.exe
5932	3672.exe
5904	76D6.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
5708	MsiExec.exe
1776	installer.exe
5708	MsiExec.exe
5708	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5432	MsiExec.exe
5708	MsiExec.exe
3052	crsewba
1644	cesewba
3852	C50F.exe
3852	C50F.exe
3852	C50F.exe
3852	C50F.exe
3852	C50F.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Ciholaekeme.exe\""	Ultra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 55690E292EAEE0FA	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 20837DE8B2B40D5A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3836 set thread context of 5472	3836	svchost.exe	115
PID 5800 set thread context of 2216	5800	toolspab1.exe	135
PID 4748 set thread context of 192	4748	B2A.exe	175
PID 3912 set thread context of 5904	3912	76D6.exe	178
PID 2312 set thread context of 1644	2312	cesewba	182
PID 5248 set thread context of 4556	5248	cesewba	196
PID 6080 set thread context of 5964	6080	cesewba	201

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Common Files\Ciholaekeme.exe	Ultra.exe
File created	C:\Program Files (x86)\Common Files\Ciholaekeme.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files\Windows Portable Devices\MCIDFADSOD\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files\Windows Portable Devices\MCIDFADSOD\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-T02O0.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-8FBTO.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe

Drops file in Windows directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7FC5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA947.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7446.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI8BED.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI794F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7582.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI78F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7542.tmp	msiexec.exe
File created	C:\Windows\Installer\f74799a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A75.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA76F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7154.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8832.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA029.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA986.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7105.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7853.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA84B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9E5.tmp	msiexec.exe
File created	C:\Windows\Installer\f74799d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7220.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A5C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA88A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7057.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7426.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\f74799a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A1C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9901.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA105.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	76D6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	76D6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	76D6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cesewba
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	crsewba

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
6048	taskkill.exe
4376	taskkill.exe
4080	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	app.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	app.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	app.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "328039216"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3d0187c30f4bd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "6q4orct"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	google-game.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96eca3d60f4bd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 8f145cc90f4bd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall39.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall39.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
856	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3604	ultramediaburner.tmp
3604	ultramediaburner.tmp
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe
3904	Palagojudae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Process not Found

Suspicious behavior: MapViewOfSection 60 IoCs

pid	Process
5112	MicrosoftEdgeCP.exe
5112	MicrosoftEdgeCP.exe
2216	toolspab1.exe
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
3044	Process not Found
5904	76D6.exe
3052	crsewba
1644	cesewba
5308	explorer.exe
5308	explorer.exe
5308	explorer.exe
5308	explorer.exe
344	explorer.exe
344	explorer.exe
344	explorer.exe
344	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2284	MicrosoftEdgeCP.exe
2284	MicrosoftEdgeCP.exe
5308	explorer.exe
5308	explorer.exe
344	explorer.exe
344	explorer.exe
2204	explorer.exe
2204	explorer.exe
5308	explorer.exe
5308	explorer.exe
5308	explorer.exe
5308	explorer.exe
344	explorer.exe
344	explorer.exe
344	explorer.exe
344	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
2204	explorer.exe
4556	cesewba
5616	crsewba
5580	crsewba
5964	cesewba

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	196	Ultra.exe
Token: SeDebugPrivilege	4028	Lewukadike.exe
Token: SeDebugPrivilege	3904	Palagojudae.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4952	msiexec.exe
Token: SeCreateTokenPrivilege	1660	installer.exe
Token: SeAssignPrimaryTokenPrivilege	1660	installer.exe
Token: SeLockMemoryPrivilege	1660	installer.exe
Token: SeIncreaseQuotaPrivilege	1660	installer.exe
Token: SeMachineAccountPrivilege	1660	installer.exe
Token: SeTcbPrivilege	1660	installer.exe
Token: SeSecurityPrivilege	1660	installer.exe
Token: SeTakeOwnershipPrivilege	1660	installer.exe
Token: SeLoadDriverPrivilege	1660	installer.exe
Token: SeSystemProfilePrivilege	1660	installer.exe
Token: SeSystemtimePrivilege	1660	installer.exe
Token: SeProfSingleProcessPrivilege	1660	installer.exe
Token: SeIncBasePriorityPrivilege	1660	installer.exe
Token: SeCreatePagefilePrivilege	1660	installer.exe
Token: SeCreatePermanentPrivilege	1660	installer.exe
Token: SeBackupPrivilege	1660	installer.exe
Token: SeRestorePrivilege	1660	installer.exe
Token: SeShutdownPrivilege	1660	installer.exe
Token: SeDebugPrivilege	1660	installer.exe
Token: SeAuditPrivilege	1660	installer.exe
Token: SeSystemEnvironmentPrivilege	1660	installer.exe
Token: SeChangeNotifyPrivilege	1660	installer.exe
Token: SeRemoteShutdownPrivilege	1660	installer.exe
Token: SeUndockPrivilege	1660	installer.exe
Token: SeSyncAgentPrivilege	1660	installer.exe
Token: SeEnableDelegationPrivilege	1660	installer.exe
Token: SeManageVolumePrivilege	1660	installer.exe
Token: SeImpersonatePrivilege	1660	installer.exe
Token: SeCreateGlobalPrivilege	1660	installer.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeCreateTokenPrivilege	1660	installer.exe
Token: SeAssignPrimaryTokenPrivilege	1660	installer.exe
Token: SeLockMemoryPrivilege	1660	installer.exe
Token: SeIncreaseQuotaPrivilege	1660	installer.exe
Token: SeMachineAccountPrivilege	1660	installer.exe
Token: SeTcbPrivilege	1660	installer.exe
Token: SeSecurityPrivilege	1660	installer.exe
Token: SeTakeOwnershipPrivilege	1660	installer.exe
Token: SeLoadDriverPrivilege	1660	installer.exe
Token: SeSystemProfilePrivilege	1660	installer.exe
Token: SeSystemtimePrivilege	1660	installer.exe
Token: SeProfSingleProcessPrivilege	1660	installer.exe
Token: SeIncBasePriorityPrivilege	1660	installer.exe
Token: SeCreatePagefilePrivilege	1660	installer.exe
Token: SeCreatePermanentPrivilege	1660	installer.exe
Token: SeBackupPrivilege	1660	installer.exe
Token: SeRestorePrivilege	1660	installer.exe
Token: SeShutdownPrivilege	1660	installer.exe
Token: SeDebugPrivilege	1660	installer.exe
Token: SeAuditPrivilege	1660	installer.exe
Token: SeSystemEnvironmentPrivilege	1660	installer.exe
Token: SeChangeNotifyPrivilege	1660	installer.exe
Token: SeRemoteShutdownPrivilege	1660	installer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3604	ultramediaburner.tmp
1660	installer.exe
1776	installer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4136	MicrosoftEdge.exe
5112	MicrosoftEdgeCP.exe
5112	MicrosoftEdgeCP.exe
3828	MicrosoftEdge.exe
2284	MicrosoftEdgeCP.exe
2284	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3044	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1916	3944	Install.exe	74
PID 3944 wrote to memory of 1916	3944	Install.exe	74
PID 3944 wrote to memory of 1916	3944	Install.exe	74
PID 1916 wrote to memory of 196	1916	Install.tmp	77
PID 1916 wrote to memory of 196	1916	Install.tmp	77
PID 196 wrote to memory of 1312	196	Ultra.exe	80
PID 196 wrote to memory of 1312	196	Ultra.exe	80
PID 196 wrote to memory of 1312	196	Ultra.exe	80
PID 1312 wrote to memory of 3604	1312	ultramediaburner.exe	81
PID 1312 wrote to memory of 3604	1312	ultramediaburner.exe	81
PID 1312 wrote to memory of 3604	1312	ultramediaburner.exe	81
PID 196 wrote to memory of 4028	196	Ultra.exe	82
PID 196 wrote to memory of 4028	196	Ultra.exe	82
PID 3604 wrote to memory of 2168	3604	ultramediaburner.tmp	83
PID 3604 wrote to memory of 2168	3604	ultramediaburner.tmp	83
PID 196 wrote to memory of 3904	196	Ultra.exe	84
PID 196 wrote to memory of 3904	196	Ultra.exe	84
PID 3904 wrote to memory of 4392	3904	Palagojudae.exe	90
PID 3904 wrote to memory of 4392	3904	Palagojudae.exe	90
PID 4392 wrote to memory of 4516	4392	cmd.exe	92
PID 4392 wrote to memory of 4516	4392	cmd.exe	92
PID 4392 wrote to memory of 4516	4392	cmd.exe	92
PID 3904 wrote to memory of 5016	3904	Palagojudae.exe	93
PID 3904 wrote to memory of 5016	3904	Palagojudae.exe	93
PID 5016 wrote to memory of 1660	5016	cmd.exe	96
PID 5016 wrote to memory of 1660	5016	cmd.exe	96
PID 5016 wrote to memory of 1660	5016	cmd.exe	96
PID 3904 wrote to memory of 4512	3904	Palagojudae.exe	97
PID 3904 wrote to memory of 4512	3904	Palagojudae.exe	97
PID 4512 wrote to memory of 4884	4512	cmd.exe	100
PID 4512 wrote to memory of 4884	4512	cmd.exe	100
PID 4512 wrote to memory of 4884	4512	cmd.exe	100
PID 4884 wrote to memory of 856	4884	hbggg.exe	125
PID 4884 wrote to memory of 856	4884	hbggg.exe	125
PID 4884 wrote to memory of 856	4884	hbggg.exe	125
PID 4952 wrote to memory of 2872	4952	msiexec.exe	104
PID 4952 wrote to memory of 2872	4952	msiexec.exe	104
PID 4952 wrote to memory of 2872	4952	msiexec.exe	104
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 3904 wrote to memory of 188	3904	Palagojudae.exe	105
PID 3904 wrote to memory of 188	3904	Palagojudae.exe	105
PID 188 wrote to memory of 4932	188	cmd.exe	107
PID 188 wrote to memory of 4932	188	cmd.exe	107
PID 188 wrote to memory of 4932	188	cmd.exe	107
PID 3904 wrote to memory of 900	3904	Palagojudae.exe	110
PID 3904 wrote to memory of 900	3904	Palagojudae.exe	110
PID 1660 wrote to memory of 1512	1660	installer.exe	108
PID 1660 wrote to memory of 1512	1660	installer.exe	108
PID 1660 wrote to memory of 1512	1660	installer.exe	108
PID 900 wrote to memory of 5248	900	cmd.exe	111
PID 900 wrote to memory of 5248	900	cmd.exe	111
PID 900 wrote to memory of 5248	900	cmd.exe	111
PID 4932 wrote to memory of 5308	4932	google-game.exe	112
PID 4932 wrote to memory of 5308	4932	google-game.exe	112
PID 4932 wrote to memory of 5308	4932	google-game.exe	112
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 5112 wrote to memory of 4600	5112	MicrosoftEdgeCP.exe	99
PID 3904 wrote to memory of 5364	3904	Palagojudae.exe	114
PID 3904 wrote to memory of 5364	3904	Palagojudae.exe	114
PID 5308 wrote to memory of 3836	5308	rUNdlL32.eXe	70
PID 3836 wrote to memory of 5472	3836	svchost.exe	115

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2844

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\is-6Q915.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6Q915.tmp\Install.tmp" /SL5="$5006A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\is-CFQQM.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-CFQQM.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:196
  - - C:\Program Files\Windows Portable Devices\MCIDFADSOD\ultramediaburner.exe
      "C:\Program Files\Windows Portable Devices\MCIDFADSOD\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\is-1R0P0.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1R0P0.tmp\ultramediaburner.tmp" /SL5="$50052,281924,62464,C:\Program Files\Windows Portable Devices\MCIDFADSOD\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\25-fd55f-75f-3d5ab-3d768bc1649b8\Lewukadike.exe
      "C:\Users\Admin\AppData\Local\Temp\25-fd55f-75f-3d5ab-3d768bc1649b8\Lewukadike.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\03-0d7b1-1aa-2cc8a-a22b11114ca17\Palagojudae.exe
      "C:\Users\Admin\AppData\Local\Temp\03-0d7b1-1aa-2cc8a-a22b11114ca17\Palagojudae.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i04lfey0.hrh\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Temp\i04lfey0.hrh\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\i04lfey0.hrh\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\njeit04y.adp\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Users\Admin\AppData\Local\Temp\njeit04y.adp\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\njeit04y.adp\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\njeit04y.adp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\njeit04y.adp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1620990724 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:1512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ozrrrpnd.zjs\hbggg.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\ozrrrpnd.zjs\hbggg.exe
        
        C:\Users\Admin\AppData\Local\Temp\ozrrrpnd.zjs\hbggg.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psr3pf00.e3j\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:188
      - C:\Users\Admin\AppData\Local\Temp\psr3pf00.e3j\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\psr3pf00.e3j\google-game.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:5308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fhz4mab4.1ob\setup.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Users\Admin\AppData\Local\Temp\fhz4mab4.1ob\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\fhz4mab4.1ob\setup.exe
        6⤵
        Executes dropped EXE
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\fhz4mab4.1ob\setup.exe"
        7⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Executes dropped EXE
        Runs ping.exe
        
        PID:856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eyguh13b.5yw\askinstall39.exe & exit
        5⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Local\Temp\eyguh13b.5yw\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\eyguh13b.5yw\askinstall39.exe
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:4376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0cjaktim.rbf\customer1.exe & exit
        5⤵
        
        PID:6016
      - C:\Users\Admin\AppData\Local\Temp\0cjaktim.rbf\customer1.exe
        
        C:\Users\Admin\AppData\Local\Temp\0cjaktim.rbf\customer1.exe
        6⤵
        Executes dropped EXE
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k3cpfwkp.njx\toolspab1.exe & exit
        5⤵
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\k3cpfwkp.njx\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\k3cpfwkp.njx\toolspab1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\k3cpfwkp.njx\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\k3cpfwkp.njx\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:2216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zfuqsplr.mz0\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:1956
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tq5zw3i0.4aj\005.exe & exit
        5⤵
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\tq5zw3i0.4aj\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\tq5zw3i0.4aj\005.exe
        6⤵
        Executes dropped EXE
        
        PID:4192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xb0fqrf2.d4a\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\xb0fqrf2.d4a\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\xb0fqrf2.d4a\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:1776
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\xb0fqrf2.d4a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\xb0fqrf2.d4a\ EXE_CMD_LINE="/forcecleanup /wintime 1620990724 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jpxhpodn.1sn\702564a0.exe & exit
        5⤵
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\jpxhpodn.1sn\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\jpxhpodn.1sn\702564a0.exe
        6⤵
        
        PID:5904
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3nojmjvq.qqc\app.exe /8-2222 & exit
        5⤵
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\3nojmjvq.qqc\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\3nojmjvq.qqc\app.exe /8-2222
        6⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\3nojmjvq.qqc\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3nojmjvq.qqc\app.exe" /8-2222
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:680
- C:\Users\Admin\AppData\Roaming\crsewba
  C:\Users\Admin\AppData\Roaming\crsewba
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3052
- C:\Users\Admin\AppData\Roaming\cesewba
  C:\Users\Admin\AppData\Roaming\cesewba
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2312
- - C:\Users\Admin\AppData\Roaming\cesewba
    C:\Users\Admin\AppData\Roaming\cesewba
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1644
- C:\Users\Admin\AppData\Roaming\crsewba
  C:\Users\Admin\AppData\Roaming\crsewba
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5616
- C:\Users\Admin\AppData\Roaming\cesewba
  C:\Users\Admin\AppData\Roaming\cesewba
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5248
- - C:\Users\Admin\AppData\Roaming\cesewba
    C:\Users\Admin\AppData\Roaming\cesewba
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:4556
- C:\Users\Admin\AppData\Roaming\crsewba
  C:\Users\Admin\AppData\Roaming\crsewba
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5580
- C:\Users\Admin\AppData\Roaming\cesewba
  C:\Users\Admin\AppData\Roaming\cesewba
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6080
- - C:\Users\Admin\AppData\Roaming\cesewba
    C:\Users\Admin\AppData\Roaming\cesewba
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:996

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38AC6E3408DA9AE46181766E85FA4BF0 C
  2⤵
  - Loads dropped DLL
  PID:2872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5562AFE7D1B8B678FCB563EBE2C0A5D0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5596
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:6048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 028AC228497540D83D3ED0F44D0A37C1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 036DDDF811B786E686CCC28EFE53B7D1 C
  2⤵
  - Loads dropped DLL
  PID:5896
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 98F440CBAD925F16A4910B2068A13042
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5708
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F3FDB9C47DE42E49F698D03BC9604CF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5432

C:\Users\Admin\AppData\Local\Temp\3672.exe
C:\Users\Admin\AppData\Local\Temp\3672.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5932

C:\Users\Admin\AppData\Local\Temp\3C20.exe
C:\Users\Admin\AppData\Local\Temp\3C20.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\4420.exe
C:\Users\Admin\AppData\Local\Temp\4420.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5604

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5488

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5860

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:344

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5800

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2204

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5804

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4048

C:\Users\Admin\AppData\Local\Temp\B2A.exe
C:\Users\Admin\AppData\Local\Temp\B2A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4748
- C:\Users\Admin\AppData\Local\Temp\B2A.exe
  C:\Users\Admin\AppData\Local\Temp\B2A.exe
  2⤵
  - Executes dropped EXE
  PID:192
- C:\Users\Admin\AppData\Local\Temp\B2A.exe
  C:\Users\Admin\AppData\Local\Temp\B2A.exe
  2⤵
  - Executes dropped EXE
  PID:4180

C:\Users\Admin\AppData\Local\Temp\76D6.exe
C:\Users\Admin\AppData\Local\Temp\76D6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3912
- C:\Users\Admin\AppData\Local\Temp\76D6.exe
  C:\Users\Admin\AppData\Local\Temp\76D6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:5904
- C:\Users\Admin\AppData\Local\Temp\76D6.exe
  C:\Users\Admin\AppData\Local\Temp\76D6.exe
  2⤵
  - Executes dropped EXE
  PID:4228

C:\Users\Admin\AppData\Local\Temp\C50F.exe
C:\Users\Admin\AppData\Local\Temp\C50F.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6004

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery