buran | 5739ea70dbe1a9d014b42300149b2ccbcf628cf08af00053708003caf3bbc14d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1C85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1C85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3434.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3434.exe

Deletes itself 1 IoCs

pid	Process
2536	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
3140	1407.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000200000001ab57-149.dat	themida
behavioral2/files/0x000200000001ab57-156.dat	themida
behavioral2/memory/8-161-0x0000000001230000-0x0000000001231000-memory.dmp	themida
behavioral2/files/0x000200000001ab58-182.dat	themida
behavioral2/files/0x000200000001ab58-196.dat	themida
behavioral2/memory/188-207-0x0000000000B50000-0x0000000000B51000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36D5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	36D5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	36D5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\36D5.exe = "0"	36D5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	36D5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	36D5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	36D5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36D5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	36D5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	36D5.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	3E48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\smss.exe\" -start"	3E48.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1C85.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3434.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	36D5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36D5.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\F:	smss.exe
File opened (read-only)	\??\V:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\A:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\P:	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
8	1C85.exe
188	3434.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 764 set thread context of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 392 set thread context of 1184	392	14A4.exe	84
PID 2300 set thread context of 1308	2300	BF7.exe	81
PID 2300 set thread context of 3956	2300	BF7.exe	86
PID 2300 set thread context of 1252	2300	BF7.exe	89
PID 2300 set thread context of 2832	2300	BF7.exe	92
PID 2300 set thread context of 3180	2300	BF7.exe	100
PID 1216 set thread context of 4604	1216	36D5.exe	116
PID 2300 set thread context of 4408	2300	BF7.exe	110
PID 2300 set thread context of 5000	2300	BF7.exe	121
PID 2300 set thread context of 4400	2300	BF7.exe	131
PID 2300 set thread context of 416	2300	BF7.exe	135
PID 2300 set thread context of 4988	2300	BF7.exe	139
PID 2300 set thread context of 4792	2300	BF7.exe	140
PID 2300 set thread context of 4508	2300	BF7.exe	144
PID 2300 set thread context of 5688	2300	BF7.exe	146
PID 2300 set thread context of 5116	2300	BF7.exe	147
PID 2300 set thread context of 5948	2300	BF7.exe	151
PID 2300 set thread context of 5808	2300	BF7.exe	171
PID 2300 set thread context of 6100	2300	BF7.exe	174
PID 2300 set thread context of 5400	2300	BF7.exe	176
PID 2300 set thread context of 5716	2300	BF7.exe	177
PID 2300 set thread context of 4208	2300	BF7.exe	180
PID 2300 set thread context of 4616	2300	BF7.exe	181
PID 2300 set thread context of 5440	2300	BF7.exe	182
PID 2300 set thread context of 4600	2300	BF7.exe	184
PID 2300 set thread context of 4736	2300	BF7.exe	185
PID 2300 set thread context of 4456	2300	BF7.exe	186

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\sound.properties.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.payfast290.8F6-B18-765	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	smss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	smss.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2164	3140	WerFault.exe	82
1008	3140	WerFault.exe	82
1664	3140	WerFault.exe	82
2792	3140	WerFault.exe	82
4160	3140	WerFault.exe	82
4304	3140	WerFault.exe	82
4480	3140	WerFault.exe	82
4712	3140	WerFault.exe	82
5036	3140	WerFault.exe	82
4248	3140	WerFault.exe	82
4664	3140	WerFault.exe	82
5028	3140	WerFault.exe	82
4336	3140	WerFault.exe	82
4748	3140	WerFault.exe	82
5788	5428	WerFault.exe	148

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5b9805d7b48c07d06c115c68f6453126.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5b9805d7b48c07d06c115c68f6453126.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5b9805d7b48c07d06c115c68f6453126.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6092	vssadmin.exe
6044	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 54a37b618c9cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown\00000000 = 102b4a638c9cd701	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c3bb12618c9cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
68	5b9805d7b48c07d06c115c68f6453126.exe
68	5b9805d7b48c07d06c115c68f6453126.exe
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	Process not Found

Suspicious behavior: MapViewOfSection 47 IoCs

pid	Process
68	5b9805d7b48c07d06c115c68f6453126.exe
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
4376	explorer.exe
4376	explorer.exe
4976	explorer.exe
4976	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4580	explorer.exe
4376	explorer.exe
4376	explorer.exe
4976	explorer.exe
4976	explorer.exe
4580	explorer.exe
4580	explorer.exe
4376	explorer.exe
4376	explorer.exe
4976	explorer.exe
4976	explorer.exe
4580	explorer.exe
4580	explorer.exe
4376	explorer.exe
4376	explorer.exe
4976	explorer.exe
4976	explorer.exe
2924	MicrosoftEdgeCP.exe
2924	MicrosoftEdgeCP.exe
2924	MicrosoftEdgeCP.exe
2924	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	392	14A4.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeRestorePrivilege	2164	WerFault.exe
Token: SeBackupPrivilege	2164	WerFault.exe
Token: SeDebugPrivilege	2164	WerFault.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	1008	WerFault.exe
Token: SeDebugPrivilege	3036	MicrosoftEdge.exe
Token: SeImpersonatePrivilege	3036	MicrosoftEdge.exe
Token: SeDebugPrivilege	1664	WerFault.exe
Token: SeDebugPrivilege	8	1C85.exe
Token: SeDebugPrivilege	3932	AdvancedRun.exe
Token: SeImpersonatePrivilege	3932	AdvancedRun.exe
Token: SeDebugPrivilege	2792	WerFault.exe
Token: SeDebugPrivilege	4160	WerFault.exe
Token: SeDebugPrivilege	4304	WerFault.exe
Token: SeDebugPrivilege	4480	WerFault.exe
Token: SeDebugPrivilege	1216	36D5.exe
Token: SeDebugPrivilege	188	3434.exe
Token: SeDebugPrivilege	4712	WerFault.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	1284	3E48.exe
Token: SeDebugPrivilege	1284	3E48.exe
Token: SeDebugPrivilege	5036	WerFault.exe
Token: SeDebugPrivilege	4248	WerFault.exe
Token: SeDebugPrivilege	4664	WerFault.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	5028	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2536	Process not Found
3036	MicrosoftEdge.exe
2924	MicrosoftEdgeCP.exe
2924	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2536	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 764 wrote to memory of 68	764	5b9805d7b48c07d06c115c68f6453126.exe	75
PID 2536 wrote to memory of 2300	2536	Process not Found	79
PID 2536 wrote to memory of 2300	2536	Process not Found	79
PID 2536 wrote to memory of 2300	2536	Process not Found	79
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2536 wrote to memory of 3140	2536	Process not Found	82
PID 2536 wrote to memory of 3140	2536	Process not Found	82
PID 2536 wrote to memory of 3140	2536	Process not Found	82
PID 2536 wrote to memory of 392	2536	Process not Found	83
PID 2536 wrote to memory of 392	2536	Process not Found	83
PID 2536 wrote to memory of 392	2536	Process not Found	83
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 392 wrote to memory of 1184	392	14A4.exe	84
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 1308	2300	BF7.exe	81
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2536 wrote to memory of 8	2536	Process not Found	87
PID 2536 wrote to memory of 8	2536	Process not Found	87
PID 2536 wrote to memory of 8	2536	Process not Found	87
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 3956	2300	BF7.exe	86
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2536 wrote to memory of 188	2536	Process not Found	90
PID 2536 wrote to memory of 188	2536	Process not Found	90
PID 2536 wrote to memory of 188	2536	Process not Found	90
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 1252	2300	BF7.exe	89
PID 2300 wrote to memory of 2832	2300	BF7.exe	92
PID 2300 wrote to memory of 2832	2300	BF7.exe	92
PID 2300 wrote to memory of 2832	2300	BF7.exe	92
PID 2536 wrote to memory of 1216	2536	Process not Found	93
PID 2536 wrote to memory of 1216	2536	Process not Found	93
PID 2536 wrote to memory of 1216	2536	Process not Found	93
PID 2536 wrote to memory of 1284	2536	Process not Found	97
PID 2536 wrote to memory of 1284	2536	Process not Found	97
PID 2536 wrote to memory of 1284	2536	Process not Found	97
PID 1216 wrote to memory of 3036	1216	36D5.exe	134
PID 1216 wrote to memory of 3036	1216	36D5.exe	134

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36D5.exe

C:\Users\Admin\AppData\Local\Temp\5b9805d7b48c07d06c115c68f6453126.exe
"C:\Users\Admin\AppData\Local\Temp\5b9805d7b48c07d06c115c68f6453126.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\5b9805d7b48c07d06c115c68f6453126.exe
  "C:\Users\Admin\AppData\Local\Temp\5b9805d7b48c07d06c115c68f6453126.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:68

C:\Users\Admin\AppData\Local\Temp\BF7.exe
C:\Users\Admin\AppData\Local\Temp\BF7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:416
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5688
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5948
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5936
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:6100
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5716
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5440
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5356
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  - Executes dropped EXE
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\BF7.exe
  C:\Users\Admin\AppData\Local\Temp\BF7.exe
  2⤵
  PID:4964

C:\Users\Admin\AppData\Local\Temp\1407.exe
C:\Users\Admin\AppData\Local\Temp\1407.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 748
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 672
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 892
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1184
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1232
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1276
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1192
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1172
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1152
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 824
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1352
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1420
  2⤵
  - Program crash
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1400
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4748

C:\Users\Admin\AppData\Local\Temp\14A4.exe
C:\Users\Admin\AppData\Local\Temp\14A4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1184

C:\Users\Admin\AppData\Local\Temp\1C85.exe
C:\Users\Admin\AppData\Local\Temp\1C85.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Admin\AppData\Local\Temp\3434.exe
C:\Users\Admin\AppData\Local\Temp\3434.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Users\Admin\AppData\Local\Temp\36D5.exe
C:\Users\Admin\AppData\Local\Temp\36D5.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1216
- C:\Users\Admin\AppData\Local\Temp\4b483648-fc14-486e-b67c-643270f2c877\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\4b483648-fc14-486e-b67c-643270f2c877\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4b483648-fc14-486e-b67c-643270f2c877\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\4b483648-fc14-486e-b67c-643270f2c877\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\4b483648-fc14-486e-b67c-643270f2c877\AdvancedRun.exe" /SpecialRun 4101d8 3036
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\36D5.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\36D5.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  2⤵
  PID:4604

C:\Users\Admin\AppData\Local\Temp\3E48.exe
C:\Users\Admin\AppData\Local\Temp\3E48.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1284
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:5396
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:5796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:5436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:5616
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:5356
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:5568
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:5112

C:\Users\Admin\AppData\Local\Temp\4416.exe
C:\Users\Admin\AppData\Local\Temp\4416.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4136

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4244

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4444

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4780

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1092

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4376

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5428
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5428 -s 1300
  2⤵
  - Program crash
  PID:5788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery