asyncrat | 04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	D393.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CC1F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CC1F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	D393.exe

Deletes itself 1 IoCs

pid	Process
2224	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1156	E308.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000500000001ab30-119.dat	themida
behavioral1/files/0x000500000001ab30-120.dat	themida
behavioral1/files/0x000200000001ab31-124.dat	themida
behavioral1/files/0x000200000001ab31-125.dat	themida
behavioral1/memory/3676-129-0x0000000000020000-0x0000000000021000-memory.dmp	themida
behavioral1/memory/1132-135-0x0000000000990000-0x0000000000991000-memory.dmp	themida
behavioral1/files/0x000300000001ab3b-238.dat	themida
behavioral1/files/0x000300000001ab3b-239.dat	themida
behavioral1/memory/4360-249-0x0000000001170000-0x0000000001171000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	D578.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	D578.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D578.exe = "0"	D578.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	D578.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	D578.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	E0A5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	E0A5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CC1F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D393.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	D578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	D578.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fineeest_.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\74f6fcc624823695a6a2a996cf1453dd\Admin@GFBFPSXA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	PryntVirus.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	geoiptool.com
101	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3676	CC1F.exe
1132	D393.exe
4360	Fineeest_.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 580 set thread context of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 2432 set thread context of 3608	2432	D578.exe	107

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	explorer.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG.payfast290.A97-722-EDF	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.payfast290.A97-722-EDF	explorer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QHEADLES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-phn.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBOB6.CHM	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_sv.properties	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.payfast290.A97-722-EDF	explorer.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif.payfast290.A97-722-EDF	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
1224	1156	WerFault.exe	86
1940	1156	WerFault.exe	86
1748	1156	WerFault.exe	86
4112	1156	WerFault.exe	86
4140	1156	WerFault.exe	86
4256	1156	WerFault.exe	86
4336	1156	WerFault.exe	86
4468	1156	WerFault.exe	86
5108	1156	WerFault.exe	86
4440	1156	WerFault.exe	86
4624	1156	WerFault.exe	86
4688	1156	WerFault.exe	86
4772	1156	WerFault.exe	86
4332	1156	WerFault.exe	86
5284	4240	WerFault.exe	150
5660	5528	WerFault.exe	153
4592	6016	WerFault.exe	155

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PryntVirus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PryntVirus.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5688	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4148	vssadmin.exe
4036	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5c553eb27a9cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "3yf14p5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d376fcb07a9cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGLockdown\00000000 = e68250b37a9cd701	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000059efb3fcb974a9a383205376f268a713e9abe677fd8ee4e1cee167bd52f55605c0964ee9821e89e84d43250e8be705f5820cf45208828072c43c	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{4654D467-7328-48E1-83FC-ECB3725D0C29}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b2419c5aac21db36382c8ef58f05d66c128acba383d8b3c3415910044d936a57c1b1cc01a3f1a02e375e1095f2941207ad7c643cad2009463f20d310865e250af5ee2a9b1b5aa09a0dc3cecb9984a8910b4c063460d23c28e1abea5611db9b9c8818444220fc84e1d57d452f077696ecae18dc0bb98c378d981c0c7cfba857e4d24fed1b4d770ca5dcac4d4b2f08b5a03602b1d421f06f350992a664c467cecfdbb32b9b7b6bf7e55f71694861dba03c8d28f622cc9c20a91b2d24a80fb7b6ffd564049c307835bd5bea5295198fa1bd07ac2bccb7312efadd0c4054c2376382db82e04b473e1fa0f6380b46e2c4950a8fac1e7a59504811b851a0029b891793f22d42e0ed5ceb39fc7b3c77bb1a787f264afd0afb97138baf1b743e344c9c6bd4850d21bc7432cd23d4b6859431e584b3a49dbd5aa81629298a8334881f8d283dabc3c18025fa31ff61852a7eaa603e05dc1339c52115cf62be1ebfe0a40aba2cbd6986ea0fbe52994344ea3c2349428b10cf589ca30611aad624b3497ac0e761dc303ff8d2c34c7f9bc0cd123dbd6574628dcb6fcf0753c98505e98f7978123549e7b4466a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000db80a43933480488350edd633c68dab60b56fb1797983d7d00adb7aec4dbf6c4830be1d638481b651b2eb2e8b3ccbf7d5081bcb2527232b45a21	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{CC132273-C10A-43C7-ACC1-C77149C727A4} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\advapi32.dll\\USER32.dll\\clipc.dll\\msiso.dll\\WINHTTP.dll\\CRYPTBASE.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\E"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f3cb42ad7a9cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e086a7af7a9cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E0A5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E0A5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
944	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2224	Process not Found

Suspicious behavior: MapViewOfSection 57 IoCs

pid	Process
944	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
2224	Process not Found
1556	explorer.exe
1556	explorer.exe
2560	explorer.exe
2560	explorer.exe
3960	explorer.exe
3960	explorer.exe
2560	explorer.exe
2560	explorer.exe
3960	explorer.exe
3960	explorer.exe
1556	explorer.exe
1556	explorer.exe
1556	explorer.exe
1556	explorer.exe
2560	explorer.exe
2560	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
3960	explorer.exe
1556	explorer.exe
1556	explorer.exe
2560	explorer.exe
2560	explorer.exe
1556	explorer.exe
1556	explorer.exe
2560	explorer.exe
2560	explorer.exe
3960	explorer.exe
3960	explorer.exe
1556	explorer.exe
1556	explorer.exe
2560	explorer.exe
2560	explorer.exe
3960	explorer.exe
3960	explorer.exe
4760	MicrosoftEdgeCP.exe
4760	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeDebugPrivilege	1748	AdvancedRun.exe
Token: SeImpersonatePrivilege	1748	AdvancedRun.exe
Token: SeDebugPrivilege	2420	AdvancedRun.exe
Token: SeImpersonatePrivilege	2420	AdvancedRun.exe
Token: SeDebugPrivilege	3780	E0A5.exe
Token: SeDebugPrivilege	3780	E0A5.exe
Token: SeRestorePrivilege	1224	WerFault.exe
Token: SeBackupPrivilege	1224	WerFault.exe
Token: SeDebugPrivilege	2432	D578.exe
Token: SeDebugPrivilege	1224	WerFault.exe
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeDebugPrivilege	1940	WerFault.exe
Token: SeDebugPrivilege	1748	WerFault.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	4112	WerFault.exe
Token: SeDebugPrivilege	4140	WerFault.exe
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeDebugPrivilege	4256	WerFault.exe
Token: SeDebugPrivilege	4336	WerFault.exe
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeDebugPrivilege	1132	D393.exe
Token: SeDebugPrivilege	3676	CC1F.exe
Token: SeDebugPrivilege	4468	WerFault.exe
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found
Token: SeCreatePagefilePrivilege	2224	Process not Found
Token: SeShutdownPrivilege	2224	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2224	Process not Found
4804	MicrosoftEdge.exe
4760	MicrosoftEdgeCP.exe
4760	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2224	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 580 wrote to memory of 944	580	04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe	77
PID 2224 wrote to memory of 3676	2224	Process not Found	79
PID 2224 wrote to memory of 3676	2224	Process not Found	79
PID 2224 wrote to memory of 3676	2224	Process not Found	79
PID 2224 wrote to memory of 1132	2224	Process not Found	81
PID 2224 wrote to memory of 1132	2224	Process not Found	81
PID 2224 wrote to memory of 1132	2224	Process not Found	81
PID 2224 wrote to memory of 2432	2224	Process not Found	83
PID 2224 wrote to memory of 2432	2224	Process not Found	83
PID 2224 wrote to memory of 2432	2224	Process not Found	83
PID 2224 wrote to memory of 2664	2224	Process not Found	84
PID 2224 wrote to memory of 2664	2224	Process not Found	84
PID 2224 wrote to memory of 3780	2224	Process not Found	85
PID 2224 wrote to memory of 3780	2224	Process not Found	85
PID 2224 wrote to memory of 3780	2224	Process not Found	85
PID 2224 wrote to memory of 1156	2224	Process not Found	86
PID 2224 wrote to memory of 1156	2224	Process not Found	86
PID 2224 wrote to memory of 1156	2224	Process not Found	86
PID 2224 wrote to memory of 2392	2224	Process not Found	87
PID 2224 wrote to memory of 2392	2224	Process not Found	87
PID 2224 wrote to memory of 2392	2224	Process not Found	87
PID 2224 wrote to memory of 2392	2224	Process not Found	87
PID 2224 wrote to memory of 3976	2224	Process not Found	88
PID 2224 wrote to memory of 3976	2224	Process not Found	88
PID 2224 wrote to memory of 3976	2224	Process not Found	88
PID 2224 wrote to memory of 3592	2224	Process not Found	89
PID 2224 wrote to memory of 3592	2224	Process not Found	89
PID 2224 wrote to memory of 3592	2224	Process not Found	89
PID 2224 wrote to memory of 3592	2224	Process not Found	89
PID 2224 wrote to memory of 3960	2224	Process not Found	90
PID 2224 wrote to memory of 3960	2224	Process not Found	90
PID 2224 wrote to memory of 3960	2224	Process not Found	90
PID 2224 wrote to memory of 1840	2224	Process not Found	91
PID 2224 wrote to memory of 1840	2224	Process not Found	91
PID 2224 wrote to memory of 1840	2224	Process not Found	91
PID 2224 wrote to memory of 1840	2224	Process not Found	91
PID 2224 wrote to memory of 2560	2224	Process not Found	92
PID 2224 wrote to memory of 2560	2224	Process not Found	92
PID 2224 wrote to memory of 2560	2224	Process not Found	92
PID 2432 wrote to memory of 1748	2432	D578.exe	93
PID 2432 wrote to memory of 1748	2432	D578.exe	93
PID 2432 wrote to memory of 1748	2432	D578.exe	93
PID 2224 wrote to memory of 640	2224	Process not Found	94
PID 2224 wrote to memory of 640	2224	Process not Found	94
PID 2224 wrote to memory of 640	2224	Process not Found	94
PID 2224 wrote to memory of 640	2224	Process not Found	94
PID 1748 wrote to memory of 2420	1748	AdvancedRun.exe	95
PID 1748 wrote to memory of 2420	1748	AdvancedRun.exe	95
PID 1748 wrote to memory of 2420	1748	AdvancedRun.exe	95
PID 2224 wrote to memory of 1556	2224	Process not Found	98
PID 2224 wrote to memory of 1556	2224	Process not Found	98
PID 2224 wrote to memory of 1556	2224	Process not Found	98
PID 3780 wrote to memory of 2052	3780	E0A5.exe	100
PID 3780 wrote to memory of 2052	3780	E0A5.exe	100
PID 3780 wrote to memory of 2052	3780	E0A5.exe	100
PID 3780 wrote to memory of 1652	3780	E0A5.exe	101
PID 3780 wrote to memory of 1652	3780	E0A5.exe	101
PID 3780 wrote to memory of 1652	3780	E0A5.exe	101
PID 3780 wrote to memory of 1652	3780	E0A5.exe	101

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	D578.exe

C:\Users\Admin\AppData\Local\Temp\04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
"C:\Users\Admin\AppData\Local\Temp\04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Local\Temp\04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe
  "C:\Users\Admin\AppData\Local\Temp\04b7b21160c2634304e7f9e377dcf1fc98bd6def1bbec40ec2bcfd85e97310d1.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:944

C:\Users\Admin\AppData\Local\Temp\CC1F.exe
C:\Users\Admin\AppData\Local\Temp\CC1F.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Users\Admin\AppData\Local\Temp\D393.exe
C:\Users\Admin\AppData\Local\Temp\D393.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Users\Admin\AppData\Local\Temp\D578.exe
C:\Users\Admin\AppData\Local\Temp\D578.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2432
- C:\Users\Admin\AppData\Local\Temp\68117a32-dc96-4b8f-bea2-5e5a0235642d\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\68117a32-dc96-4b8f-bea2-5e5a0235642d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\68117a32-dc96-4b8f-bea2-5e5a0235642d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\68117a32-dc96-4b8f-bea2-5e5a0235642d\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\68117a32-dc96-4b8f-bea2-5e5a0235642d\AdvancedRun.exe" /SpecialRun 4101d8 1748
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D578.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D578.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  2⤵
  PID:3608

C:\Users\Admin\AppData\Local\Temp\DC9D.exe
C:\Users\Admin\AppData\Local\Temp\DC9D.exe
1⤵
- Executes dropped EXE
PID:2664
- C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe
  "C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Checks processor information in registry
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1132
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:5656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4084
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5688
- C:\Users\Admin\AppData\Local\Temp\1000 hq.exe
  "C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"
  2⤵
  - Executes dropped EXE
  PID:4480

C:\Users\Admin\AppData\Local\Temp\E0A5.exe
C:\Users\Admin\AppData\Local\Temp\E0A5.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:4656
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4788
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:4836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4872
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:1652

C:\Users\Admin\AppData\Local\Temp\E308.exe
C:\Users\Admin\AppData\Local\Temp\E308.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1180
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 612
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1172
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1228
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1184
  2⤵
  - Program crash
  PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1200
  2⤵
  - Program crash
  PID:4440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1228
  2⤵
  - Program crash
  PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1168
  2⤵
  - Program crash
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1084
  2⤵
  - Program crash
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1260
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:4332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:640

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1556

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4240 -s 1548
  2⤵
  - Program crash
  PID:5284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5528
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5528 -s 1936
  2⤵
  - Program crash
  PID:5660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6016
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6016 -s 804
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery