ryuk | 4a132f5fca3763d8328c66ae447ac331e5bede35a63b6cac8bd845a3504d5bbb

Analysis

max time kernel
122s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus_Destructive.exe
Size

249KB
MD5

1241c7fa483e828693d121d6933ccc19
SHA1

d766b6a14c9476aad4fb994fa06a24265f1eb24b
SHA256

4a132f5fca3763d8328c66ae447ac331e5bede35a63b6cac8bd845a3504d5bbb
SHA512

febb9519e5c63ea50d673c26a98fa675378c1d9205bd9bc878aeb3e0130c2cd877ad922df4a2c7dcea7a9815b6fae83becb896e38f59f3d7a7edf0e161cd28ff

Score

10^/10

ryuk discovery evasion exploit ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FBIJTPX0\f[3].txt

Family

ryuk

Ransom Note

)]}' {"bgasy":["https://www.google.com/js/bg/xhsXU0guuD_DJQfM3yOamG_r6Q35zwg2XWY6fSAgpNU.js","TSs61ug7rgvK0V+dM+6KK9k2y+LZXRiE9BTXUue7pWnUWh18gaRDW7ekTEDeqWcMpTzp1QeSTV4+rlTuEuX8OKYipOVreLZoVEDYk+pfSw2VX9NEIHq1gmhoizmzAtkYD4UiSQQXJFafwX6gi9/GU/0afvEiJSUfPkCKXXgqjoyfdUpQa2dt2YqHnY+ykKukmplYvmbiKgIm8EDIaUdbLaNzShkb52YK6t1q2GUSgvYyTSxV81Ys4ONVVP2p6u/yYbElBfXT3AWAmHS4C3MBrW94NVWghKiBXFQ8fKPRf9R9zZiyXb1TgixkiTewj8Dip5humgpjJp+omXYK9hLyD/vHYujIJOD/JKMGlwZXE6qsa67gIkWK5DDtOhJz6xJGhSVPyTLa3RFBwKAloKP38VYvkhzCU7nDJOBxPPd29gZWLK0o9W1AjeRdXKQ0xLXtwGQkUsdV4vd1r6GibKaCyE9x32ec5taIbIzAqgExDq+2g8M6+RZwto7nfP+WbxIlkYsxhWZxmqSMMWT5LQAEt0fkYSL2+78iJx+lANeGmyggLFoFzYqc5Z7BIK3blkvpAy0Jp23K+eVjFhbNLttx40UuhcA6TxmeaWOuMAobB8nh4BW02ymSLsnoix1xlqHjwMK6NFGxlU0LWFpdWcDlISyhwHARSxwHkb0qlDnQTyH1f/oFGZwH0wlwDSUsH6zugpALnGw90IAemBODAgzF68+x2l0VwKpAaYXUjZpZbMAEKpfNTZa2vtV972H3ww1FsD7loiDgealX+u+UpAZw1ijMfczL7kEplYWm3wC2UK8teKS80BNJGhz+2lAUxZjmPoQLw//qOLxdMOUyj8Rifc05jJRXFMlFJ9QWmnM5HQOILlBis7559wer6XCjmDljbeZwLDHzzcPk0v6grCqbJ5i5woybPE8L0EmCfwHpXYPRjEOIFn7XRlJVIO937rmbwKtrru1w1mrDZBBgxlj/vZJ1R9KpV7ldVnNNCif7KAVBGwrvFer0TqkQKr/cFEL289VVm+UT+zbT6cHMSqy3vG5cgTG/9ARexzCto3/viCMhnFCIdxzD2M+r/ndlQ7br4NrfJMj8fdSfPN9NWJm+lcJ/mpV9lx7FOFTa2JmFxmrRGRMULxdsR0QwnYhUIt7nE2Si9S9s2oslGRtgUdXTPOGVv+7j5ajBY3w8JJuzRijZnqOue3jrXWQB7vgkdu/3VF2VB/sDh2mSQ2FDbY+z74svwOzqTV+H4w42AdT6/suFM3dIreXn8dY9L4Neve6pyQJ6Dmanj6EqIZWmzxpOpH0kRtdVlbph4+gYAg24tvM4KSuzUVutMsF35WcZgNsl0uZjBPo0RzJLRu36mvKdEQ3i8REIoLymeZ/Dut3xBagnYKW438+Jt0fvf1JI2sxY7zS3RHYrNljYYatU41uWu069g0EiUPbkME8WS6nl9skzX8cU7pJUFC6jT4kth1hf5E/l37zrKgCx36DaNhUSXwn9mrS/N8D01+eZ4TdO+hHF3xAscFfinXtAVBH1eBIM6mkRM2BVP5zahgbxAOQMXuoDY/6dzaNS+98fwLc5SHdM9BzbN9yxnMKjKm8W8y5kxGfXkDMl/6JmtavFZ3wrn2W+8NYpOQrFKcYo2Z60q9MucF+8PJuybTCNQUbueXoITWuuldjHH1C0FAhIAh4h8J9ThUqnHpzMoc8uohFevuQL1jXJkG2gcv4z2g1j+IjbyPT8/UpLznCOPvdJXLtQk4eibPfH9VkOTuG1Um03Y9CpXFKNtZfvuE5nzENejkyCciywfCM3w8/xaew7RmqSCNR9nIxmJNfVzB7GjHfr/vkK6bPnwkdE418UPjESutrn6HSSKR45i/wThQa0te+53zIK/CBwzZvd6ZkGs9smejccA7lA3H0S0n+MXZuLE6ll/fA7rQjQIdkADTrRAOuaZ92dLeghn4FVLr5vMHoZf9DUelzippqIq+z6D04YW5kZLGzhpKsWhpbw2EMUOJcqzIPsY1pUTQluZEWiqdq+OBJcGr6hwEcA8p5Hzj0pN7X935Mm+FvxHu/6VGr2P+FMBkXExEfZUYiSettM22p3qJeD2Cowr5CX1gNfnLmzhSPP8Upl2yO0zXOz6jrGz5Q8Oal+CJgLH6UdT0nMIpdEoHZxMobq2rJvPS0jT2TWMX5Da66upkYsP5VJIAmC2hTMOiIPquusZYIpcTSR66ZI/urWI5qxjB4xIBQgcs+xoScxxAjxLQIJ5LDRJlaKhz6aoFrpPi17nwXPPT5vtzCE9a/DCzGdPvuwrs9LmUqPcKM7QM44IIhl3pimEU9wsw7z5hRbeciyAKeXSYa0DLWwSl2SRYTEslK1gpELEF4K5QhDTWOeRRMvvNR7L/F/4Sxe0hRBu/Sb1HNgL4by7UoZ7G1+Kgdq5qjWyKE2LVIdNEhoh8s8FES5OBUEAUo0RZaeSKh0Ae+US4pjx3jVy7JhmNA48ija45/pYORgNr2rEVpH2eVl2qQUwaoYik386f0IID74HR0whVUTEEShTALbmxWOAgW3HnmaFrTaPxSVwoUjjXS8qGQwl/L7E1vGsAnHog7/Mdz8J0dm2SITZxrA2IAk6v7r+ZoW6YRODUE6GseJSBsD3dXy20yrLYJQMJ9XIfhUrWlI2pR4gPnpvaJrr9UdgeR3JIMfVUBRqBX7lKjOo7E1aNGD6krtcWoDcyv5a0y3di2fDk33Z5u112wUNF2G1XRN6y8IrB7YbyHETCWftOdNk3rdqCEEJrQj9KpEFLWN5zVcuDWn5krU2UYyQVqk447z1rKOdKFXICeH8WVV7mmHI2SWPcvFs5M/o9T2fP9sr5Elc6flH9HeFPzb75Z8pNt2vy/4RoBzWUlHG8PgOA6laiAWbMRBnOZTg3I2fi9Jsxt+8drQUwyiAB1AIfYSGPT1yZ5hHBbgfKBTYDno0GqzkkOvXnEGuEgcL8igO3I91xnc/BVGmSJxs3If/74dzJbS2Wo+1qUCi81KsKP22FmQcI9Tt18e05Xp0YuRt2iwD70KT5Enmn+dbYjt7QthNzq4rx998M975ui/cDhIup+xxqsM4sPCilFk+2chPupt1R+G0UD10vXGYgvKclCzZ4mnqh4zmPSqj7SbY1G17GLqO1spJ0d0/fpcIxhCNWgjFw12YLYSU5220b+caBpYjtLNri6I5BV7nr5NY+lJiFIgwKcMt/wPgRxBYnPe7oOwRaUmHw+j+gV0w4xZ5E21Eb8azdAX35jSCcbcj4UHffEvewEgED1+n5wXhEZtT7Yv1lr2mWO3FnRsjSbTGu8nN+V815/TBLEp/6ieFGjTsMcw7v0Ddm6tv2NQOFgRpdYrFPClzAvAcFdBw/jI59hMIyoLhRZndrwrvZMSR5H4ryfBZ805RSwZSp1onPGwDRFfr+NXz+ZV7740iDArwAB+DrNEz7eIqKZNvLT70PbsPEiE7WAPslw3kIf3aLu6hOh8xPLGbkgxEtR8/Ykh9n37a5BUxcq7rudgsWyyELSkIrynZd9wSQQkXs5oBOWpQyq4iawpWJ8O1H+v7/McZTDDCJVcIYhWOBi0h+txqDN12rSEJtEZZkWl/oGS89qjyjvzzlOEHTKucMit4QTqtGTbNibvq6C8K9N3TYAjO7siMJ1D6KjZxeeDnd51R2RecDaDo7QGV45FNJ6qyZIHGq7w7D8C8Tq8W7SqPM+1FiNI+zEvS0yznDJJSOxDU6sGm98TTuzFfb3ZdGNBst0n43UnIMzvqrY/0ju7b6+XZFul1L8kVkLqfWRH11HzVoCxRVImRYd5VyQa6CSCIuyozXehAj1Z93/VtMGQakgRv6ow6l2pspOeCYoeaKh6algdR4/YyNjnt30UFjzhtK/cxJzk+rb6uBuMSepe28Z3XHwL/h90mQKx1U/cR9mlyknrHXPvp6eFmKzOpdg0ukdXmM6t4e9tqy6jfnF7TJTFzeQizgdkcDwwLYzD6cr/PfYby+xSkWltn0fwgfa680+L783E0X5tz3GRD209FJDoG89U3Wuf0qrBvci3U+3FJ8y1lBoaKeq2lQDVY+uHlhOfcd6v25P+GV7hZLdU0FsxyN+qrjxVwptgTK2YEhlhdQwq75z1dsUXYHgChmOg3rOnqye8+fBbdCoLzmcI7ToQtbkcyoK1IZ98T1zHBI65fBhb87lgKg4Om+li5plA93+ct/xqnNW/BRof+VnATnV5yqsGEmZgTon1pTXLGb/JEbG4v1k1ntvS9waMgpb6wvXU86xeypkl2DUYMnRyukTNrR9boArJE/4Heq14ppS6f570C+VfD6lfpsX2ql9volk8baYi2vjzPGbBmT84ISFu1U4jmoR2lKwKk9IS3MX2Q+x9nvUFhwWxkUAn/aI4J4rEK0BktDBV1BNb1dAPW432GV5HNVzhfC78/C5mfMHXBa60n29qDD7Zn/YOrEAX6I5SWyfUZ1xjrRTKLGfNjvqyUnlOSkhnTdy/WdjikI4WZdxjvPvQC45ue7Q29blEXG1/IkRv0+0mEThR5FvTJEEGNypPO8wcv2R4qCHudbQJ7pcussbxlp+zTM/vJRZKDKrujP5xG/ZucXclA/CcbEtTOCKWY+v9DNwzI4/BwFz7f3Dxlz3MW6WC2ujm+PMLIdTJYAE7cGu/Uq/5N0evgoTORpheH2fWeFeTObKQzD58G2kXWwmWakqKxwEKrMJXK27KI7Xg1tTvPdKZmojgAXFtSfMovh50Xs4uohz1MM8iF4wOqdTqecQzIWv229k7Qwt1kPE/BdDhtgkfHc+pcJvOVD6ewVCqAg+0ZeWWEa2sVadQycFCGIO7mBw/MkPVPQOPxRITY7ZyVxjpRpOi3wXZ+KeWCrg3Wi2am8Fi1bcOiv+IepCNm0MlQHaL7zTj2niFj4sDVU9V0vLJsouMDih7o7+Z29VcMakLiVJ86utQBIwHzVOE3eLKXa8keHPZVsrfF0H/s98tgw9eVMW5O/+zll+YrCWiN0J487TT8zDNrXr7P9ZCKukQm2eMAFmpEIxnLPYEJ4bxFa8ZvxcQX4coUgF/aGfePp0g4JeTnRptIPF/SfrNAYUPXf2NNkmoEmTqhBGMCPEJxzHv+CN8NzThxaNVFs3DKix0CrgifFy1AdDG6XUVW5cZ+JM+/MhAZ3PFoLAV72bu+30hByKlExR84d8sbC4uIcaH8KVZJMOfREvbVnDa4T+fCh0NeU2vojYr/BAilxDWVMtoIy3kxm2lLz+Skhv4UVQid6j7JvbTvfr5XXhne6clT4ANlBbPYCYd5PENhLs/UtJWiqYtDNe1UQ+SfaHNtGxscvWvnov3b7P1CYWF3GL2ZfG95V17pL9jbJUhpX5L3CkDzwcU1f4Vi8aBKWHMb12gnuE85ZDkWMaCEuT4emCgWZHBQ/FolT1CkST3OQK4TXA/5jXPDLCd5yxO+5tls2+BZkum259hvPhKqjJQLqDzTya7cRGpfQ5qNWtugB1UI300O8/IXFDSL1ZOuOFwAHRmUEGHv4a2rR8RcGnB552+gTBhw1zP7QfkJ9BaKxpQsj921iUov4bzU5qP5b6OY8T8XnZuTU5evyZlSpWE0S9R1Xl1Vnk90+yMPw3wBgtLKQ0JNkO5Knti05PhS+cHUwmQA7aoW2nHprBlXKbQ8vCEVnwq7B2r+viULJYkfFWwkt+A1CIwb07eWobq77pjaELmTOAD/TbDZk9UMVDmPEviHcAJR4TqZ7OCEGnMCBR0Y3Lxr0neJnihKlkbqPUNvvyFnQUjVkm+dGUUN4GfaqqQq5UJ0DO8bUzI+xKOBXzs69rcuM0VVYc0veewXYFxJb9/Vs8w/IBpGqedtuown9W3yt38DN+wkqIPZJCsvDLO0RZs2G6YVL7IZWCfgl1HjZgFx/Frjl5FwQBvnfjFHvPRpF+ApJobO05acYjEZ3xcA0NccN7cmSQ9Mqetfa9ZFFvalRur9gyuNBe3fxyx5bKoMXCSRreHh0xxqp3UKoX0Pci6A1LVWntGn6nr0nVD+6foiDZVkv9JxB6y7TAQw0fW5OXLt4vZfp35RWvlSxoTomj5kUS95BOS2l60lpuB3GJQOxuvu7UppsTx37GiHvZK7txWIzhT4pbzdcHBBMltidQ3dTBq6Fq+lTsiRxxHCg7smYsydvDXcc6BQcoZayHK8Gw2g5C6BKPe6danflInap7BXtHXjSu+Ivynabc+JA9ANteGPZ0wJRQTk3ySzxg+jR7pnOJusjYxKy7WvA\u003d"]}

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4248 created 3692	4248	WerFault.exe	91
PID 5884 created 5636	5884	WerFault.exe	102

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4252	takeown.exe
4348	icacls.exe
4384	takeown.exe
736	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	Virus_Destructive.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4252	takeown.exe
4348	icacls.exe
4384	takeown.exe
736	icacls.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4248	3692	WerFault.exe	91
5884	5636	WerFault.exe	102

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "102"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4b4079762211d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "862"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "96"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 1ebdc8e246ecd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C8 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "18"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "84"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 254d72702211d801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "874"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4a883e862211d801	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0b42057e2211d801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "856"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "887"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "102"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "90"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
4248	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe
5884	WerFault.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	Virus_Destructive.exe
Token: SeDebugPrivilege	3436	Virus_Destructive.exe
Token: SeTakeOwnershipPrivilege	4252	takeown.exe
Token: SeTakeOwnershipPrivilege	4384	takeown.exe
Token: SeDebugPrivilege	412	MicrosoftEdge.exe
Token: SeDebugPrivilege	412	MicrosoftEdge.exe
Token: SeDebugPrivilege	412	MicrosoftEdge.exe
Token: SeDebugPrivilege	412	MicrosoftEdge.exe
Token: SeDebugPrivilege	3244	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3244	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3244	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3244	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1448	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1448	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	736	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	736	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	736	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	736	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	736	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	736	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4248	WerFault.exe
Token: SeDebugPrivilege	5884	WerFault.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
412	MicrosoftEdge.exe
2800	MicrosoftEdgeCP.exe
2800	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4300	3436	Virus_Destructive.exe	69
PID 3436 wrote to memory of 4300	3436	Virus_Destructive.exe	69
PID 4300 wrote to memory of 4252	4300	cmd.exe	71
PID 4300 wrote to memory of 4252	4300	cmd.exe	71
PID 4300 wrote to memory of 4348	4300	cmd.exe	72
PID 4300 wrote to memory of 4348	4300	cmd.exe	72
PID 4300 wrote to memory of 4384	4300	cmd.exe	73
PID 4300 wrote to memory of 4384	4300	cmd.exe	73
PID 4300 wrote to memory of 736	4300	cmd.exe	74
PID 4300 wrote to memory of 736	4300	cmd.exe	74
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 3244	2800	MicrosoftEdgeCP.exe	79
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 2952	2800	MicrosoftEdgeCP.exe	84
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 3180	2800	MicrosoftEdgeCP.exe	86
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88
PID 2800 wrote to memory of 736	2800	MicrosoftEdgeCP.exe	88

C:\Users\Admin\AppData\Local\Temp\Virus_Destructive.exe
"C:\Users\Admin\AppData\Local\Temp\Virus_Destructive.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4348
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 3748
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5248

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5636
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5636 -s 3336
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5884

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ee4389c6bcb04c9f990b95e842bd7b8a /t 3516 /p 3436
1⤵
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-118-0x0000019EF1220000-0x0000019EF1520000-memory.dmp

Filesize
3.0MB

Download
memory/2952-148-0x000001B138600000-0x000001B138700000-memory.dmp

Filesize
1024KB

Download
memory/2952-149-0x000001B1386E8000-0x000001B1386F0000-memory.dmp

Filesize
32KB

Download
memory/3436-190-0x000000001BDE6000-0x000000001BDE8000-memory.dmp

Filesize
8KB

Download
memory/3436-201-0x000000001BDE8000-0x000000001BDEA000-memory.dmp

Filesize
8KB

Download
memory/3436-115-0x0000000000770000-0x00000000007B4000-memory.dmp

Filesize
272KB

Download
memory/3436-117-0x000000001BDE2000-0x000000001BDE4000-memory.dmp

Filesize
8KB

Download
memory/3436-116-0x000000001BDE0000-0x000000001BDE2000-memory.dmp

Filesize
8KB

Download
memory/3436-161-0x000000001BDE4000-0x000000001BDE6000-memory.dmp

Filesize
8KB

Download
memory/3436-218-0x000000001BDEA000-0x000000001BDEF000-memory.dmp

Filesize
20KB

Download
memory/3436-222-0x000000002CD70000-0x000000002CD74000-memory.dmp

Filesize
16KB

Download
memory/3436-225-0x000000002CD74000-0x000000002CD77000-memory.dmp

Filesize
12KB

Download