plugx | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install2.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

10^/10

plugx vidar discovery evasion persistence stealer trojan upx vmprotect

Malware Config

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe

Executes dropped EXE 14 IoCs

pid	Process
504	Install2.tmp
3984	Ultra.exe
3412	ultramediaburner.exe
2760	ultramediaburner.tmp
3104	Huwaecybofo.exe
3928	UltraMediaBurner.exe
1764	Torovubaeqae.exe
4400	001.exe
4444	installer.exe
4836	gaoou.exe
5012	jfiag3g_gg.exe
4464	Setup3310.exe
4844	Setup3310.tmp
5068	google-game.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral30/files/0x000100000001abf1-174.dat	upx
behavioral30/files/0x000100000001abf1-173.dat	upx
behavioral30/files/0x000100000001ac44-230.dat	upx
behavioral30/files/0x000100000001ac44-234.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral30/files/0x000100000001ac58-275.dat	vmprotect
behavioral30/files/0x000100000001ac58-274.dat	vmprotect
behavioral30/memory/5696-309-0x00000000001F0000-0x000000000084F000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Huwaecybofo.exe

Loads dropped DLL 8 IoCs

pid	Process
504	Install2.tmp
4444	installer.exe
4444	installer.exe
4444	installer.exe
4844	Setup3310.tmp
4844	Setup3310.tmp
3996	MsiExec.exe
3996	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5272	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Beferobume.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaoou.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	ipinfo.io
165	ip-api.com
308	ipinfo.io
429	api.2ip.ua
61	ip-api.com
98	ipinfo.io
313	ipinfo.io
336	ipinfo.io
428	api.2ip.ua

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\Beferobume.exe.config	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Beferobume.exe	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-CJU98.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-85Q1K.tmp	ultramediaburner.tmp
File created	C:\Program Files\Microsoft Office 15\XADGSKWBLV\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files\Microsoft Office 15\XADGSKWBLV\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f746c8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f746c8b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	5836	WerFault.exe	250

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
7128	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6836	taskkill.exe
5508	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompletedV = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F9C80DB0-842F-467F-8C38-4D3FF1C80FDA} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f79dc4c19654d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 01000000d18891ae51883c37eb4596074ad968a5e1ba81751542f5458628101a2a014f7638d3139d1a49b1e66323c53e33e0d60ba2c5e68928c166f5dccaf407d7baf57fd5c649bfe20eefae2df2ec9f6f582e9e8d213a07cbbfa76de4c9	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	340	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	98	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	309	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	316	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	335	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	ultramediaburner.tmp
2760	ultramediaburner.tmp
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe
1764	Torovubaeqae.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4800	MicrosoftEdgeCP.exe
4800	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3984	Ultra.exe
Token: SeDebugPrivilege	3104	Huwaecybofo.exe
Token: SeDebugPrivilege	1764	Torovubaeqae.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeDebugPrivilege	2644	MicrosoftEdge.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5040	MicrosoftEdgeCP.exe
Token: SeSecurityPrivilege	4108	msiexec.exe
Token: SeCreateTokenPrivilege	4444	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4444	installer.exe
Token: SeLockMemoryPrivilege	4444	installer.exe
Token: SeIncreaseQuotaPrivilege	4444	installer.exe
Token: SeMachineAccountPrivilege	4444	installer.exe
Token: SeTcbPrivilege	4444	installer.exe
Token: SeSecurityPrivilege	4444	installer.exe
Token: SeTakeOwnershipPrivilege	4444	installer.exe
Token: SeLoadDriverPrivilege	4444	installer.exe
Token: SeSystemProfilePrivilege	4444	installer.exe
Token: SeSystemtimePrivilege	4444	installer.exe
Token: SeProfSingleProcessPrivilege	4444	installer.exe
Token: SeIncBasePriorityPrivilege	4444	installer.exe
Token: SeCreatePagefilePrivilege	4444	installer.exe
Token: SeCreatePermanentPrivilege	4444	installer.exe
Token: SeBackupPrivilege	4444	installer.exe
Token: SeRestorePrivilege	4444	installer.exe
Token: SeShutdownPrivilege	4444	installer.exe
Token: SeDebugPrivilege	4444	installer.exe
Token: SeAuditPrivilege	4444	installer.exe
Token: SeSystemEnvironmentPrivilege	4444	installer.exe
Token: SeChangeNotifyPrivilege	4444	installer.exe
Token: SeRemoteShutdownPrivilege	4444	installer.exe
Token: SeUndockPrivilege	4444	installer.exe
Token: SeSyncAgentPrivilege	4444	installer.exe
Token: SeEnableDelegationPrivilege	4444	installer.exe
Token: SeManageVolumePrivilege	4444	installer.exe
Token: SeImpersonatePrivilege	4444	installer.exe
Token: SeCreateGlobalPrivilege	4444	installer.exe
Token: SeCreateTokenPrivilege	4444	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4444	installer.exe
Token: SeLockMemoryPrivilege	4444	installer.exe
Token: SeIncreaseQuotaPrivilege	4444	installer.exe
Token: SeMachineAccountPrivilege	4444	installer.exe
Token: SeTcbPrivilege	4444	installer.exe
Token: SeSecurityPrivilege	4444	installer.exe
Token: SeTakeOwnershipPrivilege	4444	installer.exe
Token: SeLoadDriverPrivilege	4444	installer.exe
Token: SeSystemProfilePrivilege	4444	installer.exe
Token: SeSystemtimePrivilege	4444	installer.exe
Token: SeProfSingleProcessPrivilege	4444	installer.exe
Token: SeIncBasePriorityPrivilege	4444	installer.exe
Token: SeCreatePagefilePrivilege	4444	installer.exe
Token: SeCreatePermanentPrivilege	4444	installer.exe
Token: SeBackupPrivilege	4444	installer.exe
Token: SeRestorePrivilege	4444	installer.exe
Token: SeShutdownPrivilege	4444	installer.exe
Token: SeDebugPrivilege	4444	installer.exe
Token: SeAuditPrivilege	4444	installer.exe
Token: SeSystemEnvironmentPrivilege	4444	installer.exe
Token: SeChangeNotifyPrivilege	4444	installer.exe
Token: SeRemoteShutdownPrivilege	4444	installer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2760	ultramediaburner.tmp
4444	installer.exe
4844	WerFault.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2644	MicrosoftEdge.exe
4800	MicrosoftEdgeCP.exe
4800	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 504	4044	Install2.exe	73
PID 4044 wrote to memory of 504	4044	Install2.exe	73
PID 4044 wrote to memory of 504	4044	Install2.exe	73
PID 504 wrote to memory of 3984	504	Install2.tmp	77
PID 504 wrote to memory of 3984	504	Install2.tmp	77
PID 3984 wrote to memory of 3412	3984	Ultra.exe	80
PID 3984 wrote to memory of 3412	3984	Ultra.exe	80
PID 3984 wrote to memory of 3412	3984	Ultra.exe	80
PID 3412 wrote to memory of 2760	3412	ultramediaburner.exe	81
PID 3412 wrote to memory of 2760	3412	ultramediaburner.exe	81
PID 3412 wrote to memory of 2760	3412	ultramediaburner.exe	81
PID 3984 wrote to memory of 3104	3984	Ultra.exe	82
PID 3984 wrote to memory of 3104	3984	Ultra.exe	82
PID 2760 wrote to memory of 3928	2760	ultramediaburner.tmp	84
PID 2760 wrote to memory of 3928	2760	ultramediaburner.tmp	84
PID 3984 wrote to memory of 1764	3984	Ultra.exe	85
PID 3984 wrote to memory of 1764	3984	Ultra.exe	85
PID 1764 wrote to memory of 4248	1764	Torovubaeqae.exe	91
PID 1764 wrote to memory of 4248	1764	Torovubaeqae.exe	91
PID 4248 wrote to memory of 4400	4248	cmd.exe	93
PID 4248 wrote to memory of 4400	4248	cmd.exe	93
PID 4248 wrote to memory of 4400	4248	cmd.exe	93
PID 1764 wrote to memory of 5000	1764	Torovubaeqae.exe	95
PID 1764 wrote to memory of 5000	1764	Torovubaeqae.exe	95
PID 1764 wrote to memory of 4316	1764	Torovubaeqae.exe	98
PID 1764 wrote to memory of 4316	1764	Torovubaeqae.exe	98
PID 4316 wrote to memory of 4444	4316	cmd.exe	100
PID 4316 wrote to memory of 4444	4316	cmd.exe	100
PID 4316 wrote to memory of 4444	4316	cmd.exe	100
PID 1764 wrote to memory of 4688	1764	Torovubaeqae.exe	101
PID 1764 wrote to memory of 4688	1764	Torovubaeqae.exe	101
PID 4688 wrote to memory of 4836	4688	cmd.exe	103
PID 4688 wrote to memory of 4836	4688	cmd.exe	103
PID 4688 wrote to memory of 4836	4688	cmd.exe	103
PID 4836 wrote to memory of 5012	4836	gaoou.exe	104
PID 4836 wrote to memory of 5012	4836	gaoou.exe	104
PID 4836 wrote to memory of 5012	4836	gaoou.exe	104
PID 4800 wrote to memory of 5040	4800	MicrosoftEdgeCP.exe	97
PID 4800 wrote to memory of 5040	4800	MicrosoftEdgeCP.exe	97
PID 4800 wrote to memory of 5040	4800	MicrosoftEdgeCP.exe	97
PID 1764 wrote to memory of 4276	1764	Torovubaeqae.exe	185
PID 1764 wrote to memory of 4276	1764	Torovubaeqae.exe	185
PID 4276 wrote to memory of 4464	4276	cmd.exe	109
PID 4276 wrote to memory of 4464	4276	cmd.exe	109
PID 4276 wrote to memory of 4464	4276	cmd.exe	109
PID 4464 wrote to memory of 4844	4464	Setup3310.exe	204
PID 4464 wrote to memory of 4844	4464	Setup3310.exe	204
PID 4464 wrote to memory of 4844	4464	Setup3310.exe	204
PID 4108 wrote to memory of 3996	4108	msiexec.exe	110
PID 4108 wrote to memory of 3996	4108	msiexec.exe	110
PID 4108 wrote to memory of 3996	4108	msiexec.exe	110
PID 4444 wrote to memory of 5028	4444	installer.exe	112
PID 4444 wrote to memory of 5028	4444	installer.exe	112
PID 4444 wrote to memory of 5028	4444	installer.exe	112
PID 1764 wrote to memory of 4920	1764	Torovubaeqae.exe	114
PID 1764 wrote to memory of 4920	1764	Torovubaeqae.exe	114
PID 4920 wrote to memory of 5068	4920	cmd.exe	115
PID 4920 wrote to memory of 5068	4920	cmd.exe	115
PID 4920 wrote to memory of 5068	4920	cmd.exe	115
PID 1764 wrote to memory of 3992	1764	Torovubaeqae.exe	116
PID 1764 wrote to memory of 3992	1764	Torovubaeqae.exe	116

C:\Users\Admin\AppData\Local\Temp\Install2.exe
"C:\Users\Admin\AppData\Local\Temp\Install2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\is-288T1.tmp\Install2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-288T1.tmp\Install2.tmp" /SL5="$5002E,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Users\Admin\AppData\Local\Temp\is-USKCA.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-USKCA.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Program Files\Microsoft Office 15\XADGSKWBLV\ultramediaburner.exe
      "C:\Program Files\Microsoft Office 15\XADGSKWBLV\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\is-QLCK8.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QLCK8.tmp\ultramediaburner.tmp" /SL5="$6005E,281924,62464,C:\Program Files\Microsoft Office 15\XADGSKWBLV\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\5b-20180-624-4c1bc-8d7e5bca17993\Huwaecybofo.exe
      "C:\Users\Admin\AppData\Local\Temp\5b-20180-624-4c1bc-8d7e5bca17993\Huwaecybofo.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\5f-724e5-1ac-6a3a4-8b18237c519ea\Torovubaeqae.exe
      "C:\Users\Admin\AppData\Local\Temp\5f-724e5-1ac-6a3a4-8b18237c519ea\Torovubaeqae.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o0qtdye0.sma\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\o0qtdye0.sma\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\o0qtdye0.sma\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2jmzmz4b.hza\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:5000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t3sddp35.kjq\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\t3sddp35.kjq\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\t3sddp35.kjq\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\t3sddp35.kjq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\t3sddp35.kjq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1622039169 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kz45zyio.h5z\gaoou.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\kz45zyio.h5z\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\kz45zyio.h5z\gaoou.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5140
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lhuoizmp.etz\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:4276
      - C:\Users\Admin\AppData\Local\Temp\lhuoizmp.etz\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\lhuoizmp.etz\Setup3310.exe /Verysilent /subid=623
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\is-U7MNA.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U7MNA.tmp\Setup3310.tmp" /SL5="$5035C,138429,56832,C:\Users\Admin\AppData\Local\Temp\lhuoizmp.etz\Setup3310.exe" /Verysilent /subid=623
        7⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\is-UMD7F.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UMD7F.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:5224
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:4340
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        11⤵
        Kills process with taskkill
        
        PID:6836
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:7128
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:5836
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\is-D2TSG.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D2TSG.tmp\LabPicV3.tmp" /SL5="$30412,140559,56832,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\is-E81T3.tmp\___________23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-E81T3.tmp\___________23.exe" /S /UID=lab214
        11⤵
        
        PID:5140
        
        C:\Program Files\Common Files\QNJLKBGRGZ\prolab.exe
        
        "C:\Program Files\Common Files\QNJLKBGRGZ\prolab.exe" /VERYSILENT
        12⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\is-S96R3.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S96R3.tmp\prolab.tmp" /SL5="$601CA,575243,216576,C:\Program Files\Common Files\QNJLKBGRGZ\prolab.exe" /VERYSILENT
        13⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\e1-d472a-f7c-cf6b3-7ab951d0f0aa2\Ruqekisefi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e1-d472a-f7c-cf6b3-7ab951d0f0aa2\Ruqekisefi.exe"
        12⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\42-23914-bac-51aa1-4e6f0aab00d22\Hegawaetyqu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\42-23914-bac-51aa1-4e6f0aab00d22\Hegawaetyqu.exe"
        12⤵
        
        PID:5176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ucswbmg.jdh\001.exe & exit
        13⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\3ucswbmg.jdh\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\3ucswbmg.jdh\001.exe
        14⤵
        
        PID:5788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dl4oxxy4.vql\GcleanerEU.exe /eufive & exit
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bhtmojzn.0gr\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\bhtmojzn.0gr\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\bhtmojzn.0gr\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1xv5ttd.jmo\gaoou.exe & exit
        13⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\a1xv5ttd.jmo\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\a1xv5ttd.jmo\gaoou.exe
        14⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:6688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gmawgvfu.dtn\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\gmawgvfu.dtn\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\gmawgvfu.dtn\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\is-AFF6H.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AFF6H.tmp\Setup3310.tmp" /SL5="$106E6,138429,56832,C:\Users\Admin\AppData\Local\Temp\gmawgvfu.dtn\Setup3310.exe" /Verysilent /subid=623
        15⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\is-H7FO9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-H7FO9.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:5880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0d4udepa.4t1\google-game.exe & exit
        13⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\0d4udepa.4t1\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\0d4udepa.4t1\google-game.exe
        14⤵
        
        PID:6736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3edi04j.izt\005.exe & exit
        13⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\l3edi04j.izt\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\l3edi04j.izt\005.exe
        14⤵
        
        PID:6540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nbiep53z.5yr\toolspab1.exe & exit
        13⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\nbiep53z.5yr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nbiep53z.5yr\toolspab1.exe
        14⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\nbiep53z.5yr\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\nbiep53z.5yr\toolspab1.exe
        15⤵
        
        PID:6956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\20tfqyyb.njf\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:7120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kbvi1341.wjl\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\kbvi1341.wjl\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\kbvi1341.wjl\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:6712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yx0fpx3v.4o3\702564a0.exe & exit
        13⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\yx0fpx3v.4o3\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\yx0fpx3v.4o3\702564a0.exe
        14⤵
        
        PID:5404
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\is-7CIJ4.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7CIJ4.tmp\lylal220.tmp" /SL5="$303D6,140518,56832,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\is-M6PF4.tmp\___________RUb__________y.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-M6PF4.tmp\___________RUb__________y.exe" /S /UID=lylal220
        11⤵
        
        PID:4676
        
        C:\Program Files\MSBuild\AEGKCUOPSG\irecord.exe
        
        "C:\Program Files\MSBuild\AEGKCUOPSG\irecord.exe" /VERYSILENT
        12⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\is-40STL.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-40STL.tmp\irecord.tmp" /SL5="$202F8,6139911,56832,C:\Program Files\MSBuild\AEGKCUOPSG\irecord.exe" /VERYSILENT
        13⤵
        
        PID:3480
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\a1-53a6a-8c1-77abf-e7eb9fd205712\Docepavafy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a1-53a6a-8c1-77abf-e7eb9fd205712\Docepavafy.exe"
        12⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\23-1031f-fc5-f2ea1-1d391d45a99cb\Lodelyfiry.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23-1031f-fc5-f2ea1-1d391d45a99cb\Lodelyfiry.exe"
        12⤵
        
        PID:6072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycesnk3i.toa\001.exe & exit
        13⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\ycesnk3i.toa\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\ycesnk3i.toa\001.exe
        14⤵
        
        PID:6212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fpsnrgdh.zyq\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:4168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1t2qpjhu.5tq\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\1t2qpjhu.5tq\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\1t2qpjhu.5tq\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s0cduboe.g2g\gaoou.exe & exit
        13⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\s0cduboe.g2g\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\s0cduboe.g2g\gaoou.exe
        14⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:6704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqfsnmnm.1ah\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\yqfsnmnm.1ah\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\yqfsnmnm.1ah\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\is-28NRC.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-28NRC.tmp\Setup3310.tmp" /SL5="$80522,138429,56832,C:\Users\Admin\AppData\Local\Temp\yqfsnmnm.1ah\Setup3310.exe" /Verysilent /subid=623
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\is-TA0A6.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-TA0A6.tmp\Setup.exe" /Verysilent
        16⤵
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lzwqf5bg.fxr\google-game.exe & exit
        13⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\lzwqf5bg.fxr\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\lzwqf5bg.fxr\google-game.exe
        14⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        15⤵
        
        PID:4272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qmfm1tvs.4g3\005.exe & exit
        13⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\qmfm1tvs.4g3\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\qmfm1tvs.4g3\005.exe
        14⤵
        
        PID:7028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aow4etrc.uae\toolspab1.exe & exit
        13⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\aow4etrc.uae\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\aow4etrc.uae\toolspab1.exe
        14⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\aow4etrc.uae\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\aow4etrc.uae\toolspab1.exe
        15⤵
        
        PID:7108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p2kkkpaa.szb\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:6252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4gzjxfb.1uu\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\g4gzjxfb.1uu\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\g4gzjxfb.1uu\installer.exe /qn CAMPAIGN="654"
        14⤵
        
        PID:5640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yubycxun.qcm\702564a0.exe & exit
        13⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\yubycxun.qcm\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\yubycxun.qcm\702564a0.exe
        14⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 480
        15⤵
        Program crash
        Suspicious use of FindShellTrayWindow
        
        PID:4844
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        9⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\7261525.exe
        
        "C:\Users\Admin\AppData\Roaming\7261525.exe"
        10⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Roaming\7959793.exe
        
        "C:\Users\Admin\AppData\Roaming\7959793.exe"
        10⤵
        
        PID:5652
        
        C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        11⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Roaming\3030543.exe
        
        "C:\Users\Admin\AppData\Roaming\3030543.exe"
        10⤵
        
        PID:5768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r5do0mmt.tlc\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\r5do0mmt.tlc\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\r5do0mmt.tlc\google-game.exe
        6⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        7⤵
        
        PID:5256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\04rgli33.iob\005.exe & exit
        5⤵
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\04rgli33.iob\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\04rgli33.iob\005.exe
        6⤵
        
        PID:5400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2mf1izj4.0co\toolspab1.exe & exit
        5⤵
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\2mf1izj4.0co\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2mf1izj4.0co\toolspab1.exe
        6⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\2mf1izj4.0co\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\2mf1izj4.0co\toolspab1.exe
        7⤵
        
        PID:6364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eopt1wr4.hjr\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:5896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ok3xb2dl.dcf\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\ok3xb2dl.dcf\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\ok3xb2dl.dcf\installer.exe /qn CAMPAIGN="654"
        6⤵
        
        PID:6932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lldzcjso.zyc\702564a0.exe & exit
        5⤵
        
        PID:6364
      - C:\Users\Admin\AppData\Local\Temp\lldzcjso.zyc\702564a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\lldzcjso.zyc\702564a0.exe
        6⤵
        
        PID:6852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7571458A0078490D664881581F5838AD C
  2⤵
  - Loads dropped DLL
  PID:3996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3FCD436CCB1C7B08CF9760C8D2218E6B
  2⤵
  PID:5164
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9375E4B559294A2F3DFBC8638F861808 E Global\MSI0000
  2⤵
  PID:6660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\26AE.exe
C:\Users\Admin\AppData\Local\Temp\26AE.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\26AE.exe
  C:\Users\Admin\AppData\Local\Temp\26AE.exe
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\44518299-eb34-4c1e-83a3-4471e4be196d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:5272
- - C:\Users\Admin\AppData\Local\Temp\26AE.exe
    "C:\Users\Admin\AppData\Local\Temp\26AE.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:6524

C:\Users\Admin\AppData\Local\Temp\4FE2.exe
C:\Users\Admin\AppData\Local\Temp\4FE2.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\923B.exe
C:\Users\Admin\AppData\Local\Temp\923B.exe
1⤵
PID:1928

C:\Users\Admin\AppData\Roaming\jssrjbu
C:\Users\Admin\AppData\Roaming\jssrjbu
1⤵
PID:5068

C:\Users\Admin\AppData\Roaming\rcsrjbu
C:\Users\Admin\AppData\Roaming\rcsrjbu
1⤵
PID:7008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-119-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/964-297-0x0000028D5D180000-0x0000028D5D1F0000-memory.dmp

Filesize
448KB

Download
memory/1064-285-0x0000021D7A270000-0x0000021D7A2E0000-memory.dmp

Filesize
448KB

Download
memory/1236-319-0x00000145B3CA0000-0x00000145B3D10000-memory.dmp

Filesize
448KB

Download
memory/1368-307-0x00000235F9560000-0x00000235F95D0000-memory.dmp

Filesize
448KB

Download
memory/1764-148-0x00000000031C2000-0x00000000031C4000-memory.dmp

Filesize
8KB

Download
memory/1764-146-0x00000000031C0000-0x00000000031C2000-memory.dmp

Filesize
8KB

Download
memory/1764-151-0x00000000031C5000-0x00000000031C6000-memory.dmp

Filesize
4KB

Download
memory/1824-313-0x0000018F53040000-0x0000018F530B0000-memory.dmp

Filesize
448KB

Download
memory/2336-277-0x0000023ABF850000-0x0000023ABF8C0000-memory.dmp

Filesize
448KB

Download
memory/2376-267-0x000001565C440000-0x000001565C4B0000-memory.dmp

Filesize
448KB

Download
memory/2536-283-0x0000018121CD0000-0x0000018121D40000-memory.dmp

Filesize
448KB

Download
memory/2760-131-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3104-144-0x0000000002FC0000-0x0000000002FC2000-memory.dmp

Filesize
8KB

Download
memory/3412-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3724-262-0x000001D020F30000-0x000001D020F7B000-memory.dmp

Filesize
300KB

Download
memory/3724-266-0x000001D020FF0000-0x000001D021060000-memory.dmp

Filesize
448KB

Download
memory/3928-145-0x00000000012D0000-0x00000000012D2000-memory.dmp

Filesize
8KB

Download
memory/3928-150-0x00000000012D5000-0x00000000012D7000-memory.dmp

Filesize
8KB

Download
memory/3928-149-0x00000000012D4000-0x00000000012D5000-memory.dmp

Filesize
4KB

Download
memory/3928-147-0x00000000012D2000-0x00000000012D4000-memory.dmp

Filesize
8KB

Download
memory/3984-123-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/4044-114-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4400-157-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/4400-158-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/4464-181-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4844-209-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4844-199-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4844-210-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4844-207-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4844-212-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4844-208-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4844-206-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4844-203-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4844-205-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4844-202-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4844-201-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4844-211-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4844-198-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4844-214-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4844-215-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4844-192-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4844-213-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4844-204-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4844-190-0x0000000003930000-0x000000000396C000-memory.dmp

Filesize
240KB

Download
memory/4844-200-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5172-314-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5256-245-0x0000000004144000-0x0000000004245000-memory.dmp

Filesize
1.0MB

Download
memory/5256-246-0x0000000000CB0000-0x0000000000D0C000-memory.dmp

Filesize
368KB

Download
memory/5368-324-0x0000020097760000-0x00000200977D0000-memory.dmp

Filesize
448KB

Download
memory/5400-306-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/5400-288-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/5652-346-0x000000000DE50000-0x000000000DE51000-memory.dmp

Filesize
4KB

Download
memory/5652-337-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/5652-341-0x000000000E270000-0x000000000E271000-memory.dmp

Filesize
4KB

Download
memory/5652-348-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/5652-340-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/5652-339-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/5696-309-0x00000000001F0000-0x000000000084F000-memory.dmp

Filesize
6.4MB

Download
memory/5768-351-0x0000000004CB0000-0x0000000004CEA000-memory.dmp

Filesize
232KB

Download
memory/5768-347-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/5768-353-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/5768-344-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/5864-291-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5912-295-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5932-334-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/5932-343-0x00000000053C0000-0x00000000053EC000-memory.dmp

Filesize
176KB

Download
memory/5956-300-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/5956-318-0x000000001BD70000-0x000000001BD72000-memory.dmp

Filesize
8KB

Download
memory/5956-322-0x0000000001360000-0x000000000137D000-memory.dmp

Filesize
116KB

Download
memory/6108-312-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads