c189b6ac65c28a587f58df19d61132c231896a43b3b33e681246c58bebad4139

Analysis

max time kernel
333s
max time network
343s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roUI-win32-x64/roUI.exe
Size

129.8MB
MD5

f96c49e1edeafedab1d7f991500ab3b0
SHA1

355f8c54b90b9fb9edc9a71bd4b979baf77326c1
SHA256

e1254436ad4ff1c60ddb725b61f00090d181f83336e0317a59b432e4982397f6
SHA512

41f33a4368c1242cf9bf2c750236c39befa166ea96d0087c76badeea3a9b9bf4f9635fd171c465740e2bbf82543fce16d9ea81a82204e2a3174a14cb81b0dd6a
SSDEEP

1572864:d6ckQr2SGDlw8h9DxUPh9hHV9nItmuT+2ibiE9TNGrAym:jXulw8PDxUZI4Gg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	roUI.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	roUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	roUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	roUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	roUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	roUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	roUI.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4580	roUI.exe
4580	roUI.exe
2660	roUI.exe
2660	roUI.exe
800	roUI.exe
800	roUI.exe
4440	roUI.exe
4440	roUI.exe
4440	roUI.exe
4440	roUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 4908	4148	roUI.exe	89
PID 4148 wrote to memory of 2660	4148	roUI.exe	90
PID 4148 wrote to memory of 2660	4148	roUI.exe	90
PID 4148 wrote to memory of 4580	4148	roUI.exe	91
PID 4148 wrote to memory of 4580	4148	roUI.exe	91
PID 4148 wrote to memory of 800	4148	roUI.exe	95
PID 4148 wrote to memory of 800	4148	roUI.exe	95
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97
PID 4148 wrote to memory of 8	4148	roUI.exe	97

C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
"C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=gpu-process --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:8
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=gpu-process --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4228
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1816,9780187743799188944,15138379459727553305,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
49dfad249f5ce665df6f505725e6670c

SHA1
7604e9225d44e104bff9f9279b1d4c9afbcd632d

SHA256
6d53427023a8d80a1fdf5192fe61cb4d06527bc404336f0dbd991b1ce593881f

SHA512
3b41ea944481e61992725c21b299484c9582cfbb72640c79a5957b62df0e5d51498ed1bd6ca798e699d72b4f04d4faa88accd55f4e2c1bb65c9531143136be55

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
7fb289c074d13ee9c00745fa968dd7a4

SHA1
64b51cab3d393e7dd678a1a7ad28124c7921000c

SHA256
e2694c88d39cc6eebc72c78a99918e2e3da470a5c796c569476890fd97868bd0

SHA512
61c5a709a53de855806e585595297574c91dafad2a7756f3fe06724f05ac3bcd0b31b7111e44edf700d2c66b02291a25d35efde67a5ac0713c10a163d3dfe11f

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
5a12628065c84a9bf891ea917c01767a

SHA1
c5905ab2a7bcfa8994c051c445cc3a3e71940c11

SHA256
b1168be98cd7223df03074037a958552af30da9f740c665c341d7c9df5bb080a

SHA512
99ccf9673e7025313672f60e5b899ae96b976ab9e9859151ba1794f8dfee64fbf8fad87e82650cfc6c82cb923b6fa6a7d5583c63003b04084c95a067feee7b1f

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e5a42828ec4f01315f0bbf2105ce8644

SHA1
7fabfc3c9b74a01f6230e5ee814edbc175d98323

SHA256
f493436362bc9453ec8aadf747f687093d885b4c9360ae411f8152ee85c44e6f

SHA512
55b3ba0a78643321b318eef26cc1311552d71be114fa8154aad01f0c3bb8c409504962cf6fa6ba1f4cca217d76f518c384babb3667df9ae81e5d98946fbc5d9d

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
618B

MD5
4f9dc45692ef10715edd493d523c2774

SHA1
b407f079a09efc67980806963c7c7e1f2fd74254

SHA256
f924ded007783b93810a6e38c04bf85065124922de144c351904a316bc7b6b2e

SHA512
3b391e05f0742efc7b5d9c4bde0d7e42ce5d24a42bec4890684385099846fdd2e14ece4e2d169cb90d879b19c96975a47ad632863b678ec14c9beaccdf3e0460

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
618B

MD5
75531c8a7a643b1c27dee6c945342124

SHA1
c433cab5fa616571600b63e982f267f82ce4ab32

SHA256
466b60e5cda1421fd2c593d8248a56962c20c805f75988e03d66e0323847a247

SHA512
c0d658ad20824cbe5c4ddc527cbeb8de710293f8fcf44c7ed497f80f0090d1f9d19e0f14c0aff27b5bd1ffab4946ffd5cfa4f730c258c797b3420be2aa692c62

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
618B

MD5
5aa5d83751b48c411f2184a3a953ff45

SHA1
338b63797eb809dae0be88b5c5e82fafca2cc909

SHA256
8a076aadd4de3ba1dbc8723557b888f66c88cd038d130fc59aa940a73315e2c9

SHA512
e2c75b7ab974a22771dc673829ad463b475a4f8a337523991e23951907ca5bbe8eddebcc9cc02d7a604ddf1bbf7480d4bdf6b629b303bd32d4487d8a6a7a9c8b

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State~RFe589cd7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/8-70-0x0000017B63AB0000-0x0000017B63B4E000-memory.dmp

Filesize
632KB

Download
memory/8-62-0x00007FFB3C590000-0x00007FFB3C591000-memory.dmp

Filesize
4KB

Download
memory/8-63-0x0000017B63AA0000-0x0000017B63AA1000-memory.dmp

Filesize
4KB

Download
memory/8-67-0x0000017B638F0000-0x0000017B63A91000-memory.dmp

Filesize
1.6MB

Download
memory/4228-154-0x000002018F7F0000-0x000002018F7F1000-memory.dmp

Filesize
4KB

Download
memory/4228-161-0x000002018F550000-0x000002018F5EE000-memory.dmp

Filesize
632KB

Download
memory/4228-160-0x000002018F640000-0x000002018F7E1000-memory.dmp

Filesize
1.6MB

Download
memory/4532-69-0x0000018DAE360000-0x0000018DAE361000-memory.dmp

Filesize
4KB

Download
memory/4532-127-0x0000018DAE0F0000-0x0000018DAE18E000-memory.dmp

Filesize
632KB

Download
memory/4532-88-0x0000018DAE0F0000-0x0000018DAE18E000-memory.dmp

Filesize
632KB

Download
memory/4532-112-0x0000018DAE0F0000-0x0000018DAE18E000-memory.dmp

Filesize
632KB

Download
memory/4532-87-0x0000018DAE1B0000-0x0000018DAE351000-memory.dmp

Filesize
1.6MB

Download
memory/4908-4-0x00007FFB3C980000-0x00007FFB3C981000-memory.dmp

Filesize
4KB

Download
memory/4908-86-0x0000020BC87E0000-0x0000020BC8981000-memory.dmp

Filesize
1.6MB

Download