buran | 2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3942.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3942.exe

Deletes itself 1 IoCs

pid	Process
2708	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1660	3C32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000200000001ab4b-125.dat	themida
behavioral1/files/0x000200000001ab4b-126.dat	themida
behavioral1/memory/2768-145-0x0000000000B80000-0x0000000000B81000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\3B27.exe = "0"	3B27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	3B27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	3B27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	3B27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	3B27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3B27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	3B27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	3B27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	3B27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	3B27.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	3EE2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	3EE2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3942.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3B27.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3B27.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\V:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\E:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2768	3942.exe
2256	44FE.exe
2256	44FE.exe
2256	44FE.exe
2256	44FE.exe
2256	44FE.exe
2256	44FE.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 564 set thread context of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 1180 set thread context of 3268	1180	346F.exe	94
PID 1504 set thread context of 3696	1504	3B27.exe	106
PID 1180 set thread context of 3380	1180	346F.exe	98
PID 1180 set thread context of 2364	1180	346F.exe	110
PID 1180 set thread context of 4332	1180	346F.exe	115
PID 1180 set thread context of 5100	1180	346F.exe	122
PID 1180 set thread context of 4552	1180	346F.exe	126
PID 1180 set thread context of 4684	1180	346F.exe	130
PID 1180 set thread context of 4864	1180	346F.exe	132
PID 1180 set thread context of 4300	1180	346F.exe	137
PID 1180 set thread context of 5548	1180	346F.exe	139
PID 1180 set thread context of 5444	1180	346F.exe	157
PID 1180 set thread context of 728	1180	346F.exe	174
PID 1180 set thread context of 5820	1180	346F.exe	170
PID 1180 set thread context of 4804	1180	346F.exe	171
PID 1180 set thread context of 5556	1180	346F.exe	172
PID 1180 set thread context of 2236	1180	346F.exe	176
PID 1180 set thread context of 4788	1180	346F.exe	177

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_ja.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf.payfast.12F-B86-295	services.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\EnableUse.contact	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\trusted.libraries	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui_4.0.100.v20140401-0608.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\profile.jfc	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\meta-index	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di_1.0.0.v20140328-2112.jar.payfast.12F-B86-295	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar	services.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4244	1660	WerFault.exe	84
4436	1660	WerFault.exe	84
4560	1660	WerFault.exe	84
4748	1660	WerFault.exe	84
5112	1660	WerFault.exe	84
4232	1660	WerFault.exe	84
4568	1660	WerFault.exe	84
3236	1660	WerFault.exe	84
4428	1660	WerFault.exe	84
4324	1660	WerFault.exe	84
4416	1660	WerFault.exe	84
5016	1660	WerFault.exe	84
4772	1660	WerFault.exe	84
5316	1660	WerFault.exe	84
5928	728	WerFault.exe	159

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5188	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown\BlameModules\00000000 = "MicrosoftEdgeCP.exe\\wincorlib.DLL\\advapi32.dll\\USER32.dll\\clipc.dll\\msiso.dll\\WINHTTP.dll\\CRYPTBASE.dll\\Windows.UI.dll\\usermgrcli.dll\\msctf.dll\\mrmcorer.dll\\UiaManager.dll\\Windows.Graphics.dll\\E"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 44bb9e99429dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	3EE2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	3EE2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
3164	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	Process not Found

Suspicious behavior: MapViewOfSection 55 IoCs

pid	Process
3164	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
2708	Process not Found
3928	explorer.exe
3928	explorer.exe
3756	explorer.exe
3756	explorer.exe
2860	explorer.exe
2860	explorer.exe
3928	explorer.exe
3928	explorer.exe
3756	explorer.exe
3756	explorer.exe
2860	explorer.exe
2860	explorer.exe
3928	explorer.exe
3928	explorer.exe
3756	explorer.exe
3756	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
2860	explorer.exe
3928	explorer.exe
3928	explorer.exe
3756	explorer.exe
3756	explorer.exe
2860	explorer.exe
2860	explorer.exe
3928	explorer.exe
3928	explorer.exe
3756	explorer.exe
3756	explorer.exe
3756	explorer.exe
3756	explorer.exe
2860	explorer.exe
2860	explorer.exe
3928	explorer.exe
3928	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeDebugPrivilege	3940	AdvancedRun.exe
Token: SeImpersonatePrivilege	3940	AdvancedRun.exe
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeDebugPrivilege	636	AdvancedRun.exe
Token: SeImpersonatePrivilege	636	AdvancedRun.exe
Token: SeDebugPrivilege	1504	3B27.exe
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2256	44FE.exe
Token: SeDebugPrivilege	2768	3942.exe
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeRestorePrivilege	4244	WerFault.exe
Token: SeBackupPrivilege	4244	WerFault.exe
Token: SeBackupPrivilege	4244	WerFault.exe
Token: SeDebugPrivilege	4244	WerFault.exe
Token: SeDebugPrivilege	3268	346F.exe
Token: SeDebugPrivilege	4436	WerFault.exe
Token: SeDebugPrivilege	4560	WerFault.exe
Token: SeDebugPrivilege	3380	346F.exe
Token: SeDebugPrivilege	4748	WerFault.exe
Token: SeShutdownPrivilege	2708	Process not Found
Token: SeCreatePagefilePrivilege	2708	Process not Found
Token: SeTakeOwnershipPrivilege	2708	Process not Found
Token: SeRestorePrivilege	2708	Process not Found
Token: SeDebugPrivilege	5112	WerFault.exe
Token: SeDebugPrivilege	4232	WerFault.exe
Token: SeDebugPrivilege	2364	346F.exe
Token: SeDebugPrivilege	4568	WerFault.exe
Token: SeDebugPrivilege	4332	346F.exe
Token: SeDebugPrivilege	3236	WerFault.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2256	44FE.exe
2708	Process not Found
3896	MicrosoftEdge.exe
5280	MicrosoftEdgeCP.exe
5412	MicrosoftEdge.exe
356	MicrosoftEdgeCP.exe
356	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2708	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 564 wrote to memory of 3164	564	2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe	77
PID 2708 wrote to memory of 1180	2708	Process not Found	79
PID 2708 wrote to memory of 1180	2708	Process not Found	79
PID 2708 wrote to memory of 1180	2708	Process not Found	79
PID 2708 wrote to memory of 2768	2708	Process not Found	81
PID 2708 wrote to memory of 2768	2708	Process not Found	81
PID 2708 wrote to memory of 2768	2708	Process not Found	81
PID 2708 wrote to memory of 1504	2708	Process not Found	83
PID 2708 wrote to memory of 1504	2708	Process not Found	83
PID 2708 wrote to memory of 1504	2708	Process not Found	83
PID 2708 wrote to memory of 1660	2708	Process not Found	84
PID 2708 wrote to memory of 1660	2708	Process not Found	84
PID 2708 wrote to memory of 1660	2708	Process not Found	84
PID 2708 wrote to memory of 3856	2708	Process not Found	85
PID 2708 wrote to memory of 3856	2708	Process not Found	85
PID 2708 wrote to memory of 3856	2708	Process not Found	85
PID 1180 wrote to memory of 3692	1180	346F.exe	86
PID 1180 wrote to memory of 3692	1180	346F.exe	86
PID 1180 wrote to memory of 3692	1180	346F.exe	86
PID 2708 wrote to memory of 2256	2708	Process not Found	87
PID 2708 wrote to memory of 2256	2708	Process not Found	87
PID 2708 wrote to memory of 2256	2708	Process not Found	87
PID 1504 wrote to memory of 3940	1504	3B27.exe	89
PID 1504 wrote to memory of 3940	1504	3B27.exe	89
PID 1504 wrote to memory of 3940	1504	3B27.exe	89
PID 2708 wrote to memory of 2952	2708	Process not Found	90
PID 2708 wrote to memory of 2952	2708	Process not Found	90
PID 2708 wrote to memory of 2952	2708	Process not Found	90
PID 2708 wrote to memory of 2952	2708	Process not Found	90
PID 3940 wrote to memory of 636	3940	AdvancedRun.exe	91
PID 3940 wrote to memory of 636	3940	AdvancedRun.exe	91
PID 3940 wrote to memory of 636	3940	AdvancedRun.exe	91
PID 2708 wrote to memory of 3392	2708	Process not Found	93
PID 2708 wrote to memory of 3392	2708	Process not Found	93
PID 2708 wrote to memory of 3392	2708	Process not Found	93
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 2708 wrote to memory of 184	2708	Process not Found	95
PID 2708 wrote to memory of 184	2708	Process not Found	95
PID 2708 wrote to memory of 184	2708	Process not Found	95
PID 2708 wrote to memory of 184	2708	Process not Found	95
PID 2708 wrote to memory of 3928	2708	Process not Found	96
PID 2708 wrote to memory of 3928	2708	Process not Found	96
PID 2708 wrote to memory of 3928	2708	Process not Found	96
PID 1504 wrote to memory of 3316	1504	3B27.exe	97
PID 1504 wrote to memory of 3316	1504	3B27.exe	97
PID 1504 wrote to memory of 3316	1504	3B27.exe	97
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1180 wrote to memory of 3268	1180	346F.exe	94
PID 1504 wrote to memory of 3596	1504	3B27.exe	101
PID 1504 wrote to memory of 3596	1504	3B27.exe	101
PID 1504 wrote to memory of 3596	1504	3B27.exe	101
PID 1180 wrote to memory of 3380	1180	346F.exe	98
PID 1180 wrote to memory of 3380	1180	346F.exe	98
PID 1180 wrote to memory of 3380	1180	346F.exe	98

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3B27.exe

C:\Users\Admin\AppData\Local\Temp\2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
"C:\Users\Admin\AppData\Local\Temp\2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe
  "C:\Users\Admin\AppData\Local\Temp\2189c55c45bdae4c6c966d1fe88312cd12b841b86ffaee29a0512a590f11718b.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3164

C:\Users\Admin\AppData\Local\Temp\346F.exe
C:\Users\Admin\AppData\Local\Temp\346F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5444
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 24
    3⤵
    - Program crash
    PID:5928
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5464
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:5544
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:5152
- C:\Users\Admin\AppData\Local\Temp\346F.exe
  C:\Users\Admin\AppData\Local\Temp\346F.exe
  2⤵
  PID:776

C:\Users\Admin\AppData\Local\Temp\3942.exe
C:\Users\Admin\AppData\Local\Temp\3942.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Users\Admin\AppData\Local\Temp\3B27.exe
C:\Users\Admin\AppData\Local\Temp\3B27.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504
- C:\Users\Admin\AppData\Local\Temp\8f74c155-cc47-4161-a162-8f9143b5cb5e\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\8f74c155-cc47-4161-a162-8f9143b5cb5e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8f74c155-cc47-4161-a162-8f9143b5cb5e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\8f74c155-cc47-4161-a162-8f9143b5cb5e\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\8f74c155-cc47-4161-a162-8f9143b5cb5e\AdvancedRun.exe" /SpecialRun 4101d8 3940
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3B27.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3B27.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
  2⤵
  PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  2⤵
  PID:2404

C:\Users\Admin\AppData\Local\Temp\3C32.exe
C:\Users\Admin\AppData\Local\Temp\3C32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 736
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 752
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 788
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1188
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1168
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1236
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1200
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 828
  2⤵
  - Program crash
  PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1316
  2⤵
  - Program crash
  PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1384
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1256
  2⤵
  - Program crash
  PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1436
  2⤵
  - Program crash
  PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1444
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:5316

C:\Users\Admin\AppData\Local\Temp\3EE2.exe
C:\Users\Admin\AppData\Local\Temp\3EE2.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:3856
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:5488
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:5664
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5188
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:5520

C:\Users\Admin\AppData\Local\Temp\44FE.exe
C:\Users\Admin\AppData\Local\Temp\44FE.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2760

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3396

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3756

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5808

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:636

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9875dd6512284301a86d0578748612cc /t 5772 /p 636
1⤵
PID:4956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery