0af06fb0a98f36849371c928af03a39c57e7596b32c806da9f358651714a2ac7

System Information Discovery

Processes:

dmaster.exedmaster.exedmaster.exedmaster.exedmaster.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	dmaster.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	dmaster.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	dmaster.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	dmaster.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	dmaster.exe

Loads dropped DLL 52 IoCs

Processes:

regsvr32.exeregsvr32.exedmaster.exedmaster.exedmaster.exedmaster.exedmaster.exe

pid	process
1424	regsvr32.exe
3484	regsvr32.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe
2868	dmaster.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

dmaster.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Download Master = "C:\\Program Files (x86)\\Download Master\\dmaster.exe -autorun"	dmaster.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 64 IoCs

Processes:

dmaster.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Download Master\Plugins\remotedownload.dll	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-EFTQ4.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\unins000.msg	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\unzip32.dll	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-1QDC3.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-MIUFR.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-IGCAL.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-U2IIH.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-5FLD1.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-PCR37.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-5LRV6.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\dm_rus.chm	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\temp\downloader_old.exe	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\Plugins\advscheduler.chm	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\unins000.dat	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-VCJVP.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Sounds\is-UO33H.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Skins\is-NQCTE.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Plugins\is-T3H7L.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-JB7M4.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-91U49.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-SGB05.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-GMHMV.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Extensions\is-Q6DTC.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-1CD8O.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-NMDG3.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-B5MHE.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-CI5LH.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-OMKSU.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-60OB3.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-18USR.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Sounds\is-6D1R2.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-U1PI2.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-8M3HP.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-C47UU.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-2O7IQ.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-6B7OR.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-698I6.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-TPRQT.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-UAFUJ.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-DPR58.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-31DCU.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\dmie.dll	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\temp\downloader.exe	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-DNJJF.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-C14UI.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-OSPRP.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-B1PDJ.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-LFGMS.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\Plugins\videoserv.dll	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-NV06B.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Skins\is-LAPID.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\com.westbyte.downloadmaster.exe	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Extensions\is-4GPEE.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\unins000.dat	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\Plugins\botmaster.dll	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-CLM07.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-U8HR9.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Sounds\is-EET71.tmp	dmaster.tmp
File opened for modification	C:\Program Files (x86)\Download Master\Plugins\advscheduler.dll	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\is-OULUP.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\temp\is-Q2B88.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Plugins\is-9TKTL.tmp	dmaster.tmp
File created	C:\Program Files (x86)\Download Master\Plugins\is-56QDT.tmp	dmaster.tmp

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
344	1308	WerFault.exe	dmaster.exe
3784	3012	WerFault.exe	dmaster.exe
3528	4084	WerFault.exe	dmaster.exe
2332	2868	WerFault.exe	dmaster.exe
188	2868	WerFault.exe	dmaster.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

dmaster.exedmaster.exedmaster.exedmaster.exedmaster.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo	dmaster.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

Processes:

dmaster.tmpbrowser_broker.exedmaster.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Закачать при помощи Download Master\contexts = "34"	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\ButtonText = "Download Master"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Закачать ВСЕ при помощи Download Master\ = "C:\\Program Files (x86)\\Download Master\\dmieall.htm"	dmaster.tmp
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\MenuStatusBar = "Download Master"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ïðè ïîìîùè Download Master\ = "C:\\Program Files (x86)\\Download Master\\dmie.htm"	dmaster.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ïåðåäàòü íà óäàëåííóþ çàêà÷êó DM\contexts = "34"	dmaster.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Закачать ВСЕ при помощи Download Master	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\MenuText = "&Download Master"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ïðè ïîìîùè Download Master	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ÂÑÅ ïðè ïîìîùè Download Master\ = "C:\\Program Files (x86)\\Download Master\\dmieall.htm"	dmaster.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Закачать при помощи Download Master	dmaster.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Передать на удаленную закачку DM\contexts = "34"	dmaster.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dmaster.exe = "11000"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ÂÑÅ ïðè ïîìîùè Download Master	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Закачать при помощи Download Master\ = "C:\\Program Files (x86)\\Download Master\\dmie.htm"	dmaster.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Закачать ВСЕ при помощи Download Master\contexts = "243"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Передать на удаленную закачку DM	dmaster.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dmaster.exe = "11000"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	dmaster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\HotIcon = "C:\\Program Files (x86)\\Download Master\\dmaster.exe,210"	dmaster.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	dmaster.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ïðè ïîìîùè Download Master\contexts = "34"	dmaster.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Çàêà÷àòü ÂÑÅ ïðè ïîìîùè Download Master\contexts = "243"	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ïåðåäàòü íà óäàëåííóþ çàêà÷êó DM\ = "C:\\Program Files (x86)\\Download Master\\remdown.htm"	dmaster.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	dmaster.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MenuExt\Передать на удаленную закачку DM\ = "C:\\Program Files (x86)\\Download Master\\remdown.htm"	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\Default Visible = "Yes"	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\Icon = "C:\\Program Files (x86)\\Download Master\\dmaster.exe,211"	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{8DAE90AD-4583-4977-9DD4-4360F7A45C74}\Exec = "C:\\Program Files (x86)\\Download Master\\dmaster.exe"	dmaster.tmp
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ïåðåäàòü íà óäàëåííóþ çàêà÷êó DM	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeregsvr32.exeregsvr32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedmaster.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9961627E-4059-41B4-8E0E-A7D6B3854ADF}\ = "IE 4.x-6.x BHO for Download Master"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{6C103304-4D00-4B6D-A269-E02795C89952}"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31DB2428-93BB-43E8-9F31-686C7F8C58DF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMIE.MoveURL\ = "MoveURL Object"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMIE.IEDownloadManager\ = "DM Download catcher for IE6"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99e8e61825c3d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22D1250D-930F-4DFB-AE98-9FB407679AEB}\1.0\ = "DMIE Library"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9961627E-4059-41B4-8E0E-A7D6B3854ADF}\ProgID\ = "dmiehlp.DMIEHelper"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMFile\DefaultIcon\ = "C:\\Program Files (x86)\\Download Master\\dmaster.exe,-201"	dmaster.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.urls	dmaster.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{99C71D7D-FC1E-4CD5-AD22-1078D716F4E0}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DMFile\DefaultIcon	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMFile\shell\open\command\ = "C:\\Program Files (x86)\\Download Master\\dmaster.exe \"%L\""	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22D1250D-930F-4DFB-AE98-9FB407679AEB}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Download Master\\"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DMIE.IEDownloadManager\Clsid\ = "{31DB2428-93BB-43E8-9F31-686C7F8C58DF}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{22D1250D-930F-4DFB-AE98-9FB407679AEB}\1.0\0\win32\ = "C:\\Program Files (x86)\\Download Master\\dmie.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FC88142-1C6D-48FB-9592-2923CEA45815}\TypeLib\ = "{22D1250D-930F-4DFB-AE98-9FB407679AEB}"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DMUrlsFile\shell\open\command	dmaster.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9961627E-4059-41B4-8E0E-A7D6B3854ADF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FC88142-1C6D-48FB-9592-2923CEA45815}\ = "IMoveURL"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

dmaster.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\SYSTEM	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\SYSTEM\Certificates	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\SYSTEM\CRLs	dmaster.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\SystemCertificates\SYSTEM\CTLs	dmaster.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dmaster.tmpWerFault.exeWerFault.exeWerFault.exetaskmgr.exeWerFault.exe

pid	process
4084	dmaster.tmp
4084	dmaster.tmp
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3784	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
3528	WerFault.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

dmaster.exedmaster.exedmaster.exedmaster.exe

pid process

1308 dmaster.exe
3012 dmaster.exe
4084 dmaster.exe
740 dmaster.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2744 MicrosoftEdgeCP.exe
2744 MicrosoftEdgeCP.exe

pid	process
2744	MicrosoftEdgeCP.exe
2744	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeWerFault.exeWerFault.exeWerFault.exefirefox.exeAUDIODG.EXEtaskmgr.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2128	MicrosoftEdge.exe
Token: SeDebugPrivilege	2128	MicrosoftEdge.exe
Token: SeDebugPrivilege	2128	MicrosoftEdge.exe
Token: SeDebugPrivilege	2128	MicrosoftEdge.exe
Token: SeDebugPrivilege	3756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3756	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2128	MicrosoftEdge.exe
Token: SeDebugPrivilege	2444	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2444	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	344	WerFault.exe
Token: SeBackupPrivilege	344	WerFault.exe
Token: SeDebugPrivilege	344	WerFault.exe
Token: SeDebugPrivilege	3784	WerFault.exe
Token: SeDebugPrivilege	3528	WerFault.exe
Token: SeDebugPrivilege	3044	firefox.exe
Token: SeDebugPrivilege	3044	firefox.exe
Token: 33	4020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4020	AUDIODG.EXE
Token: SeDebugPrivilege	3044	firefox.exe
Token: SeDebugPrivilege	3044	firefox.exe
Token: SeDebugPrivilege	2760	taskmgr.exe
Token: SeSystemProfilePrivilege	2760	taskmgr.exe
Token: SeCreateGlobalPrivilege	2760	taskmgr.exe
Token: 33	2760	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2760	taskmgr.exe
Token: SeDebugPrivilege	2332	WerFault.exe
Token: SeDebugPrivilege	188	WerFault.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dmaster.tmpdmaster.exedmaster.exedmaster.exedmaster.exefirefox.exetaskmgr.exe

pid	process
4084	dmaster.tmp
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
3044	firefox.exe
3044	firefox.exe
3044	firefox.exe
3044	firefox.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dmaster.exedmaster.exedmaster.exedmaster.exefirefox.exetaskmgr.exedmaster.exe

pid	process
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
1308	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
740	dmaster.exe
3044	firefox.exe
3044	firefox.exe
3044	firefox.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2760	taskmgr.exe
2868	dmaster.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

dmaster.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedmaster.exedmaster.exedmaster.exefirefox.exedmaster.exe

pid	process
1308	dmaster.exe
2128	MicrosoftEdge.exe
2744	MicrosoftEdgeCP.exe
2744	MicrosoftEdgeCP.exe
1308	dmaster.exe
1308	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
3012	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
4084	dmaster.exe
740	dmaster.exe
3044	firefox.exe
2868	dmaster.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dmaster.exedmaster.tmpMicrosoftEdgeCP.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2352 wrote to memory of 4084	2352	dmaster.exe	dmaster.tmp
PID 2352 wrote to memory of 4084	2352	dmaster.exe	dmaster.tmp
PID 2352 wrote to memory of 4084	2352	dmaster.exe	dmaster.tmp
PID 4084 wrote to memory of 1424	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 1424	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 1424	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 3484	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 3484	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 3484	4084	dmaster.tmp	regsvr32.exe
PID 4084 wrote to memory of 1308	4084	dmaster.tmp	dmaster.exe
PID 4084 wrote to memory of 1308	4084	dmaster.tmp	dmaster.exe
PID 4084 wrote to memory of 1308	4084	dmaster.tmp	dmaster.exe
PID 2744 wrote to memory of 3756	2744	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2744 wrote to memory of 3756	2744	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2744 wrote to memory of 3756	2744	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3264 wrote to memory of 3044	3264	firefox.exe	firefox.exe
PID 3044 wrote to memory of 1512	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 1512	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe
PID 3044 wrote to memory of 180	3044	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\dmaster.exe
"C:\Users\Admin\AppData\Local\Temp\dmaster.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\is-LP67N.tmp\dmaster.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LP67N.tmp\dmaster.tmp" /SL5="$601DE,7072878,121344,C:\Users\Admin\AppData\Local\Temp\dmaster.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Download Master\dmie.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1424

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Download Master\dmiehlp.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:3484

C:\Program Files (x86)\Download Master\dmaster.exe
"C:\Program Files (x86)\Download Master\dmaster.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3104
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Program Files (x86)\Download Master\dmaster.exe
"C:\Program Files (x86)\Download Master\dmaster.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 2696
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Program Files (x86)\Download Master\dmaster.exe
"C:\Program Files (x86)\Download Master\dmaster.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 3020
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Program Files (x86)\Download Master\dmaster.exe
"C:\Program Files (x86)\Download Master\dmaster.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:740

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.0.556548890\1816411743" -parentBuildID 20200403170909 -prefsHandle 1512 -prefMapHandle 1460 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 1612 gpu
3⤵
PID:1512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.3.1241354535\1877323070" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 2208 -prefsLen 122 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 2228 tab
3⤵
PID:180

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.13.790818544\188095952" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3440 -prefsLen 6979 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 3464 tab
3⤵
PID:2028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.20.1066505934\1492830986" -childID 3 -isForBrowser -prefsHandle 4112 -prefMapHandle 4108 -prefsLen 7907 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 4328 tab
3⤵
PID:2268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3044.27.978475557\1126324486" -parentBuildID 20200403170909 -prefsHandle 4684 -prefMapHandle 4824 -prefsLen 8529 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3044 "\\.\pipe\gecko-crash-server-pipe.3044" 4784 rdd
3⤵
PID:2540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2760

C:\Program Files (x86)\Download Master\dmaster.exe
"C:\Program Files (x86)\Download Master\dmaster.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 2408
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 2352
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery