asyncrat | a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D99D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D99D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E0C2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E0C2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fineeest_.exe

Deletes itself 1 IoCs

pid	Process
3016	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
4060	EDC6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000500000001ab2d-119.dat	themida
behavioral2/files/0x000500000001ab2d-120.dat	themida
behavioral2/files/0x000200000001ab2e-124.dat	themida
behavioral2/files/0x000200000001ab2e-125.dat	themida
behavioral2/memory/192-127-0x0000000000B70000-0x0000000000B71000-memory.dmp	themida
behavioral2/memory/2788-135-0x0000000001050000-0x0000000001051000-memory.dmp	themida
behavioral2/files/0x000500000001ab31-340.dat	themida
behavioral2/files/0x000500000001ab31-368.dat	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	E391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	E391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\E391.exe = "0"	E391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	E391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	E391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	E391.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	E391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	E391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	E391.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	E391.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	EBE0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	EBE0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E391.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D99D.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E0C2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E391.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\66ec590fe3b06475ba301abd06c28c0e\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	PryntVirus.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	geoiptool.com
55	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
192	D99D.exe
2788	E0C2.exe
1524	Fineeest_.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 3540 set thread context of 632	3540	E391.exe	104
PID 4256 set thread context of 3472	4256	rfcjvsa	168

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-64.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.payfast290.571-792-E7E	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Rainbow.png	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-140.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\BingLocalSearchService.winmd	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\dropdownarrow_16x16x32.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\is_16x11.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-64_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\create_bp_920.jpg	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.payfast290.571-792-E7E	explorer.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_altform-unplated_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_24x24x32.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\flavormap.properties	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\logo.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\AppxManifest.xml	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Icon.targetsize-32.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_gold.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\OneConnectAppList.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	explorer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\LargeTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_contrast-white.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\excel.x-none.msi.16.x-none.vreg.dat	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	explorer.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-16_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.payfast290.571-792-E7E	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.payfast290.571-792-E7E	explorer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2756	4060	WerFault.exe	86
4252	4060	WerFault.exe	86
4336	4060	WerFault.exe	86
4416	4060	WerFault.exe	86
4540	4060	WerFault.exe	86
4612	4060	WerFault.exe	86
4744	4060	WerFault.exe	86
4904	4060	WerFault.exe	86
5104	4060	WerFault.exe	86
2920	4060	WerFault.exe	86
4292	4060	WerFault.exe	86
4420	4060	WerFault.exe	86
4992	4060	WerFault.exe	86
4856	4060	WerFault.exe	86

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfcjvsa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfcjvsa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rfcjvsa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PryntVirus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PryntVirus.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4960	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4268	vssadmin.exe
2476	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4960f74d7c9cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000a288b9a2dc0c2bfa142ca7a73fca70f502fc4974b0424c3eb1da0b4fb7ce29c9abbea92bc78acccf6c52ec850677c62be19450936d99efff0b77ef883a180a18c68147e6af61d9d0b26d9370ce3f884943989b5fb77e419473fd	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d1a3ced05137b15c5739b4a24a009ba1e145474816a190e7860b7a9760585dc742ce347e2e58b93748f67021176757d5fe306e0918808d4f988d151c9b715fc696a1088c867d65d362a56c411cfb10c79894b6b695f4de4ce6507b607cc8045b4bbe686cedc8980f8ae41acc62dc17e29d1191bdec1ded94fff41b53c67be28771c393af7058ac7b735512b06a2a42d98547e2fe341cbe8c4e1a22a529aca995d851d855764de6696097aed644058c615ed6f4a8390f74c67c60fd539279007f760969ac2dc77555f4490fce1c8d62ba145e0a9b8217c3ca5a6776426f045917988914bc8ae57295290d95d6c7e231047c7fb35f0c553a389fcf22e5e66bb40e1173624890c94362138267befe24ca6a55d94daf6ee7a92fe83877fd19d0f8c257657c5d3192442cdc47a081f173d51d600c4f88efee050e8e424b60955167dede00d16d1d605e3a10fefb5ffbef761896b7e2d6b08a277d658e82d50d1026ca6fe5b602a75244a446469cfad9b88cb8b87c7da849dce7cb4dba0100742c14efc2b230fac58ae394d0be3d8bd7eedc2cc7faf2f47a02399c0e163c36e2fd06b3366888764b43	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{A1EE5E62-0361-4815-8021-A421F91AA7E4}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{59719C32-8FFE-4E7F-B1DC-5482B161833F} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EBE0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EBE0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	b8f76d9cd83557379f3fe8b5dd080f9a.exe
2432	b8f76d9cd83557379f3fe8b5dd080f9a.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Process not Found

Suspicious behavior: MapViewOfSection 40 IoCs

pid	Process
2432	b8f76d9cd83557379f3fe8b5dd080f9a.exe
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3016	Process not Found
3836	explorer.exe
3836	explorer.exe
3912	explorer.exe
3912	explorer.exe
4116	explorer.exe
4116	explorer.exe
3836	explorer.exe
3836	explorer.exe
3912	explorer.exe
3912	explorer.exe
4116	explorer.exe
4116	explorer.exe
3464	MicrosoftEdgeCP.exe
3464	MicrosoftEdgeCP.exe
4116	explorer.exe
4116	explorer.exe
3836	explorer.exe
3836	explorer.exe
3912	explorer.exe
3912	explorer.exe
3472	rfcjvsa

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	3632	AdvancedRun.exe
Token: SeImpersonatePrivilege	3632	AdvancedRun.exe
Token: SeDebugPrivilege	3032	AdvancedRun.exe
Token: SeImpersonatePrivilege	3032	AdvancedRun.exe
Token: SeRestorePrivilege	2756	WerFault.exe
Token: SeBackupPrivilege	2756	WerFault.exe
Token: SeBackupPrivilege	2756	WerFault.exe
Token: SeDebugPrivilege	1736	EBE0.exe
Token: SeDebugPrivilege	1736	EBE0.exe
Token: SeDebugPrivilege	3540	E391.exe
Token: SeDebugPrivilege	2756	WerFault.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	4252	WerFault.exe
Token: SeDebugPrivilege	4336	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	4416	WerFault.exe
Token: SeDebugPrivilege	2788	E0C2.exe
Token: SeDebugPrivilege	192	D99D.exe
Token: SeDebugPrivilege	4540	WerFault.exe
Token: SeDebugPrivilege	4612	WerFault.exe
Token: SeDebugPrivilege	4744	WerFault.exe
Token: SeDebugPrivilege	4904	WerFault.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeDebugPrivilege	5104	WerFault.exe
Token: SeTakeOwnershipPrivilege	3016	Process not Found
Token: SeRestorePrivilege	3016	Process not Found
Token: SeDebugPrivilege	2920	WerFault.exe
Token: SeDebugPrivilege	4292	WerFault.exe
Token: SeDebugPrivilege	4420	WerFault.exe
Token: SeDebugPrivilege	4992	WerFault.exe
Token: SeDebugPrivilege	4856	WerFault.exe
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found
Token: SeShutdownPrivilege	3016	Process not Found
Token: SeCreatePagefilePrivilege	3016	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3016	Process not Found
3016	Process not Found

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3016	Process not Found
3016	Process not Found
3016	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3016	Process not Found
3564	MicrosoftEdge.exe
4268	MicrosoftEdge.exe
3464	MicrosoftEdgeCP.exe
3464	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3016	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 4060 wrote to memory of 2432	4060	b8f76d9cd83557379f3fe8b5dd080f9a.exe	75
PID 3016 wrote to memory of 192	3016	Process not Found	79
PID 3016 wrote to memory of 192	3016	Process not Found	79
PID 3016 wrote to memory of 192	3016	Process not Found	79
PID 3016 wrote to memory of 2788	3016	Process not Found	81
PID 3016 wrote to memory of 2788	3016	Process not Found	81
PID 3016 wrote to memory of 2788	3016	Process not Found	81
PID 3016 wrote to memory of 3540	3016	Process not Found	83
PID 3016 wrote to memory of 3540	3016	Process not Found	83
PID 3016 wrote to memory of 3540	3016	Process not Found	83
PID 3016 wrote to memory of 484	3016	Process not Found	84
PID 3016 wrote to memory of 484	3016	Process not Found	84
PID 3016 wrote to memory of 1736	3016	Process not Found	85
PID 3016 wrote to memory of 1736	3016	Process not Found	85
PID 3016 wrote to memory of 1736	3016	Process not Found	85
PID 3016 wrote to memory of 4060	3016	Process not Found	86
PID 3016 wrote to memory of 4060	3016	Process not Found	86
PID 3016 wrote to memory of 4060	3016	Process not Found	86
PID 3016 wrote to memory of 408	3016	Process not Found	87
PID 3016 wrote to memory of 408	3016	Process not Found	87
PID 3016 wrote to memory of 408	3016	Process not Found	87
PID 3016 wrote to memory of 408	3016	Process not Found	87
PID 3016 wrote to memory of 1740	3016	Process not Found	88
PID 3016 wrote to memory of 1740	3016	Process not Found	88
PID 3016 wrote to memory of 1740	3016	Process not Found	88
PID 3016 wrote to memory of 2148	3016	Process not Found	89
PID 3016 wrote to memory of 2148	3016	Process not Found	89
PID 3016 wrote to memory of 2148	3016	Process not Found	89
PID 3016 wrote to memory of 2148	3016	Process not Found	89
PID 3540 wrote to memory of 3632	3540	E391.exe	90
PID 3540 wrote to memory of 3632	3540	E391.exe	90
PID 3540 wrote to memory of 3632	3540	E391.exe	90
PID 3632 wrote to memory of 3032	3632	AdvancedRun.exe	91
PID 3632 wrote to memory of 3032	3632	AdvancedRun.exe	91
PID 3632 wrote to memory of 3032	3632	AdvancedRun.exe	91
PID 3016 wrote to memory of 3912	3016	Process not Found	93
PID 3016 wrote to memory of 3912	3016	Process not Found	93
PID 3016 wrote to memory of 3912	3016	Process not Found	93
PID 3016 wrote to memory of 2068	3016	Process not Found	94
PID 3016 wrote to memory of 2068	3016	Process not Found	94
PID 3016 wrote to memory of 2068	3016	Process not Found	94
PID 3016 wrote to memory of 2068	3016	Process not Found	94
PID 3016 wrote to memory of 3836	3016	Process not Found	95
PID 3016 wrote to memory of 3836	3016	Process not Found	95
PID 3016 wrote to memory of 3836	3016	Process not Found	95
PID 3016 wrote to memory of 636	3016	Process not Found	98
PID 3016 wrote to memory of 636	3016	Process not Found	98
PID 3016 wrote to memory of 636	3016	Process not Found	98
PID 3016 wrote to memory of 636	3016	Process not Found	98
PID 3540 wrote to memory of 2152	3540	E391.exe	99
PID 3540 wrote to memory of 2152	3540	E391.exe	99
PID 3540 wrote to memory of 2152	3540	E391.exe	99
PID 3540 wrote to memory of 1052	3540	E391.exe	101
PID 3540 wrote to memory of 1052	3540	E391.exe	101
PID 3540 wrote to memory of 1052	3540	E391.exe	101
PID 1736 wrote to memory of 3504	1736	EBE0.exe	103
PID 1736 wrote to memory of 3504	1736	EBE0.exe	103
PID 1736 wrote to memory of 3504	1736	EBE0.exe	103
PID 1736 wrote to memory of 1480	1736	EBE0.exe	105

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E391.exe

C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe
"C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe
  "C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2432

C:\Users\Admin\AppData\Local\Temp\D99D.exe
C:\Users\Admin\AppData\Local\Temp\D99D.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Users\Admin\AppData\Local\Temp\E0C2.exe
C:\Users\Admin\AppData\Local\Temp\E0C2.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Users\Admin\AppData\Local\Temp\E391.exe
C:\Users\Admin\AppData\Local\Temp\E391.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3540
- C:\Users\Admin\AppData\Local\Temp\3eefcfab-8505-4672-ac40-a50254e82156\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\3eefcfab-8505-4672-ac40-a50254e82156\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3eefcfab-8505-4672-ac40-a50254e82156\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\3eefcfab-8505-4672-ac40-a50254e82156\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\3eefcfab-8505-4672-ac40-a50254e82156\AdvancedRun.exe" /SpecialRun 4101d8 3632
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E391.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E391.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
  2⤵
  PID:632

C:\Users\Admin\AppData\Local\Temp\EAE5.exe
C:\Users\Admin\AppData\Local\Temp\EAE5.exe
1⤵
- Executes dropped EXE
PID:484
- C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe
  "C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  PID:188
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4284
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4564
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:5064
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4960
- C:\Users\Admin\AppData\Local\Temp\1000 hq.exe
  "C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"
  2⤵
  - Executes dropped EXE
  PID:4780

C:\Users\Admin\AppData\Local\Temp\EBE0.exe
C:\Users\Admin\AppData\Local\Temp\EBE0.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:3504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:3804
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:4356
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:4480
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2476
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4424
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1480

C:\Users\Admin\AppData\Local\Temp\EDC6.exe
C:\Users\Admin\AppData\Local\Temp\EDC6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 744
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 836
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 868
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1188
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1172
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1284
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1188
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1248
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 804
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1316
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1352
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1320
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1356
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4856

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2148

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2068

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:636

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4116

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4312

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4104

C:\Users\Admin\AppData\Roaming\rfcjvsa
C:\Users\Admin\AppData\Roaming\rfcjvsa
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4256
- C:\Users\Admin\AppData\Roaming\rfcjvsa
  C:\Users\Admin\AppData\Roaming\rfcjvsa
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery