healer | 0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07

Resubmissions

30-05-2024 17:33

240530-v5b3ksgc98 10

23-05-2024 18:24

240523-w2bhbabg64 10

Analysis

max time kernel
78s
max time network
78s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe
Size

491KB
MD5

1c185b332b3c465c964af971cafee906
SHA1

8a608729025c94664a9925c0aba1fb4479eeb6e9
SHA256

0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07
SHA512

8f31346b635988db5b6170ce267c0b40b7ef27584cdc7a57f181f2b05b060be5ff97a5533941f0297bd946df8fcad0295f168676e2fe76f99cdbdd85824030c8
SSDEEP

12288:1Mr5y90hhwxAOv0OPzp6Cp4mEonRxsvz:kyuZmU5mxMz

Score

10^/10

healer redline hares dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

hares

83.97.73.128:19071

Attributes

auth_value
62fed2fd42b168e956200885cefb36a7

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/192-15-0x00000000001E0000-0x00000000001EA000-memory.dmp	healer
behavioral1/files/0x000700000001ac23-23.dat	healer
behavioral1/memory/4616-25-0x0000000000CD0000-0x0000000000CDA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6219333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6219333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6219333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6219333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6219333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9971995.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1692-39-0x0000000000470000-0x00000000004A0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
204	v2409475.exe
192	a9971995.exe
4616	b6219333.exe
1692	c9926148.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9971995.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6219333.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2409475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 00c6436ec486da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ad4be9ceadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b00000000020000000000106600000001000020000000591b8a8996d707c72a0ddfde6aea735d98a3c2cdf6fa5ec94bf27f83d21e5321000000000e800000000200002000000079b98bdf443c164fe7dbeb2b437ffcb981482b52abdd026c8b0407598ac53ae7200000009d48a21f73ea8f5c76756aad2d7b3aac5d437428f415119fd4620bbfcab8736740000000a51145b9bcd2274d1bb23ded2b1fc5135538332f63bd985acb23f545d3b0eb4b5a34f5600cf4575d5d30229128af0ed1e6cb1efe04944e24ea527916bbc30f41	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006850e9ceadda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108558"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{326F4120-19C2-11EF-B03F-7ACE63468C9D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108558"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2136E4EA-19C2-11EF-B03F-7ACE63468C9D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3905307260"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b00000000020000000000106600000001000020000000876d523eda47f4cb753d5b8b4a44eb11b6296d6dc2865bfbd0ecde531629de9f000000000e8000000002000020000000036adb419d51f782caed3c30c9be0364756ade2d209ebd1c24af26c8a675243d200000004a540272983a350b3092519bd6e67563001ffbe4d13ce81107a0e775cd439611400000005cece8e714d91f961ed0de9fab70a723d911332f2b49a8e7cc337fef2107618141bf1cbd05a99c3f291194df9a2896e68a4009c29f3babe78ce766d75555da52	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\lock_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.lock	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1095e2ebceadda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.vsw	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\vsw_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\lock_auto_file\shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\vsw_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.lock\ = "lock_auto_file"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\.vsw\ = "vsw_auto_file"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{D7D8A032-2684-40D9-B754-2549BC8DA1D5} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\vsw_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000008dca25951db329aa77f5902e763af2d565473985a18c937de278a65e1e80f886750692ed669f861499501563bc8577279dda01353f9ee397b8b4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 37ebeae7ceadda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\lock_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
192	a9971995.exe
192	a9971995.exe
4068	mspaint.exe
4068	mspaint.exe
4616	b6219333.exe
4616	b6219333.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1416	OpenWith.exe
3748	OpenWith.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4148	MicrosoftEdgeCP.exe
4148	MicrosoftEdgeCP.exe
4148	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	192	a9971995.exe
Token: SeDebugPrivilege	4616	b6219333.exe
Token: SeDebugPrivilege	216	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	216	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	216	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	216	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1176	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe
Token: SeDebugPrivilege	3012	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2844	iexplore.exe
3960	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe
2728	iexplore.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4068	mspaint.exe
4068	mspaint.exe
4068	mspaint.exe
4068	mspaint.exe
2844	iexplore.exe
2844	iexplore.exe
4672	IEXPLORE.EXE
4672	IEXPLORE.EXE
3960	iexplore.exe
3960	iexplore.exe
1116	IEXPLORE.EXE
1116	IEXPLORE.EXE
3012	MicrosoftEdge.exe
4148	MicrosoftEdgeCP.exe
216	MicrosoftEdgeCP.exe
4148	MicrosoftEdgeCP.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
1416	OpenWith.exe
2728	iexplore.exe
2728	iexplore.exe
3244	IEXPLORE.EXE
3244	IEXPLORE.EXE
2728	iexplore.exe
2728	iexplore.exe
3244	IEXPLORE.EXE
3244	IEXPLORE.EXE
2728	iexplore.exe
2728	iexplore.exe
3244	IEXPLORE.EXE
3244	IEXPLORE.EXE
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe
3748	OpenWith.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 204	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	74
PID 4780 wrote to memory of 204	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	74
PID 4780 wrote to memory of 204	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	74
PID 204 wrote to memory of 192	204	v2409475.exe	75
PID 204 wrote to memory of 192	204	v2409475.exe	75
PID 204 wrote to memory of 192	204	v2409475.exe	75
PID 204 wrote to memory of 4616	204	v2409475.exe	80
PID 204 wrote to memory of 4616	204	v2409475.exe	80
PID 2844 wrote to memory of 4672	2844	iexplore.exe	83
PID 2844 wrote to memory of 4672	2844	iexplore.exe	83
PID 2844 wrote to memory of 4672	2844	iexplore.exe	83
PID 4780 wrote to memory of 1692	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	84
PID 4780 wrote to memory of 1692	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	84
PID 4780 wrote to memory of 1692	4780	0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe	84
PID 3960 wrote to memory of 1116	3960	iexplore.exe	89
PID 3960 wrote to memory of 1116	3960	iexplore.exe	89
PID 3960 wrote to memory of 1116	3960	iexplore.exe	89
PID 4148 wrote to memory of 1176	4148	MicrosoftEdgeCP.exe	94
PID 4148 wrote to memory of 1176	4148	MicrosoftEdgeCP.exe	94
PID 4148 wrote to memory of 1176	4148	MicrosoftEdgeCP.exe	94
PID 4148 wrote to memory of 1176	4148	MicrosoftEdgeCP.exe	94
PID 1416 wrote to memory of 2728	1416	OpenWith.exe	96
PID 1416 wrote to memory of 2728	1416	OpenWith.exe	96
PID 2728 wrote to memory of 3244	2728	iexplore.exe	98
PID 2728 wrote to memory of 3244	2728	iexplore.exe	98
PID 2728 wrote to memory of 3244	2728	iexplore.exe	98
PID 2728 wrote to memory of 2116	2728	iexplore.exe	99
PID 2728 wrote to memory of 2116	2728	iexplore.exe	99
PID 2728 wrote to memory of 512	2728	iexplore.exe	100
PID 2728 wrote to memory of 512	2728	iexplore.exe	100
PID 3748 wrote to memory of 4044	3748	OpenWith.exe	102
PID 3748 wrote to memory of 4044	3748	OpenWith.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe
"C:\Users\Admin\AppData\Local\Temp\0961cfb89798532c90d35ce37a1718f108d572c7886da0f4b1d6c777c7673e07.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2409475.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2409475.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9971995.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9971995.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6219333.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6219333.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9926148.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9926148.exe
  2⤵
  - Executes dropped EXE
  PID:1692

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WriteResume.rle"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SearchGrant.mhtml
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4672

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\UndoSwitch.ttc
1⤵
PID:2116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TraceInitialize.mht
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:4844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SwitchInitialize.vsw
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:82945 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3244
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SwitchInitialize.vsw
    3⤵
    - Modifies Internet Explorer settings
    PID:2116
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SwitchInitialize.vsw
    3⤵
    - Modifies Internet Explorer settings
    PID:512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\DebugSelect.lock
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ba208409d758d248b5c43be99023d903

SHA1
e8ff44158a1a41784ff773aee0410fce08ffa85b

SHA256
90052b1f97e33e41422ee5bdf739a18a7c66b30c282ea309314b68bbc7c093c1

SHA512
a4c64d8f86d4e2533b7462a3ec5d072f059573d6937c9c4133b61ea14fdb691075a0c28f839d1a54cbc739477d3ef38995439d57308270ddbe670e5e40e5a27c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
77da325282309f8bd1ebd1b2abe6de77

SHA1
ad822f044f0e6543d388eb51796b2536b8b82ead

SHA256
c7a26847fa054fde956c942e6fa29456cf7093c759237fb1c67f6a2684969400

SHA512
9d9103c1022935cb009491b8ccd676813a039eed32492143f2e91c984547ba4b767d7af7375f44dc92cd10aa5d69eddbae54f8ee9fd476fb72e32382b559404f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1431CD6B-19C2-11EF-B03F-7ACE63468C9D}.dat

Filesize
5KB

MD5
d7127257f1e65e8e0a8ab0901839ebc0

SHA1
746bdb9cc90fbc80ccc14d276e4d2591fa1ec5bc

SHA256
317d86bfc3f084b0968b676594da7d5b7087e8c46dd285d375698d37a45de515

SHA512
4cc8d00a7dce791805e58b3910981222c9700bc233f1c90f11223ae7bd8e3821c9a57bccbe48af79255d589a0a89b0dc62dae7305f1b21954ca035e21dc3ff2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2136E4EA-19C2-11EF-B03F-7ACE63468C9D}.dat

Filesize
5KB

MD5
1ec0eb84fbd9aab5920c37ea921c94b6

SHA1
9daf26eff575e28c0d6b2ebfef058c5e492d1b2f

SHA256
da8c2245ecf0957e15f06b6406a38d69114daa493056cea95254dd8e951f97dd

SHA512
082ef81f850bd8d5d520ab26f079cbfdaabca056c2b050e043f20cd3c86e249150993ae52a0383f6ffdadc9cc6b7bdca54eb9cff5ddab83d44648b8feffc779f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{1232EB68-F27E-11EE-B037-C627849F21CD}.dat

Filesize
5KB

MD5
372b0009232dd2a8c7dd56ae96c04c0b

SHA1
708bfad65ceff5dbde06f0c5d794f42382316588

SHA256
78c2b6b0701d2470b9bf71f757d4f5c1b0562db046db88f008cd9f5fa275b564

SHA512
ace53fe7be9f9b3a803b57162f10117a62f55f4b6a0905834f2223f386bdc97dcde78b3dd4ee70a485a8d2506e59a5b19ba3afe2468759959e1aecbb610e4f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{1431CD6E-19C2-11EF-B03F-7ACE63468C9D}.dat

Filesize
4KB

MD5
6447f1d4bf97d608deca6534cf5a0d93

SHA1
76ae0ed35e1bcbc6519da9e194fc0bc3425dcba8

SHA256
1244ba7bd0765be0221f4fd9948ff77c10b257b97e343496ff96f485682d753c

SHA512
c485a479014633e19b33b7e33ae5af6458cfd9093281d02cde2a2911f29a25fac6d78ef71e9ad3151d4a61c8eb8f457f489a7dbabc1a5f7fb98a9dfaab274be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
5f8f6292a71058ed89ba05a704b79eb0

SHA1
cc6af689963c4b10a20a99ceba415dd356eb5e39

SHA256
ce7c260dd9f6b154e061920e8b052171da6f8d80ecd26b38b4b2deec8d9a4f04

SHA512
6505c58feedd0770e692f86ef33453a4ee0505aafc55185535566a5e6af470d1f12f4fc30e2caa148c9816c528f57bff667489b8262be013362d29fe26a50c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9926148.exe

Filesize
402KB

MD5
c6ce87618d0922f5b8776d8b598aeb03

SHA1
f4d9cc93b4e8712b0a92ac6b684086a20f3d8a75

SHA256
30c07696b475f2efe0f93bc002cdaaa423be872c1f4435e380ae622ec896b7bf

SHA512
16ac053a05aec81227ff5b95d924992c9298b1f184cff79b7bd0e7fe61fdc82416de70d2af787eb09f8f877c4994c6297a5caa4a0845fd969f5aef7695be9775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2409475.exe

Filesize
227KB

MD5
69898c7e9e5c421b885c9d6d9c0b65ca

SHA1
927bc1958eaa697859280b6fe6f6bbbd641ff3d2

SHA256
0809be422dc597ce5e89dccfa4fb221e6ef9c9ca2ac253744c5499e64a29ca4d

SHA512
c52da885618cb7f815f833b73e3e025d7c0034c40d93512d20b69f233f5a5205427d03f72792a8383b849e37b1549ac8379bc7788b864d87bad09d49d4f8540f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9971995.exe

Filesize
176KB

MD5
211a06e9ae68ced1234252a48696431b

SHA1
69950e2ee2fafd177d1a295836713bfd8d18df9c

SHA256
0bdca9c84103454e329cfde4e69dc41a0ec0196c078c8fc195b0fa739d2f905d

SHA512
b1643ba376075619335b4bdf0d7610aece13b7c9db60eecb508465f97ef3e6a9d5297f9ac8529886efa052cdd8814ac7d4eeab44812f797a1b2dc5fa967ee7eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6219333.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFDE4B790F47C25AC8.TMP

Filesize
16KB

MD5
6dc14ba7a06ce0f5c770b64ccffb3ee6

SHA1
8801bdad4913edef0e24f700620a3ce40fd4250b

SHA256
7256c64b343350115b246ccb016aad37d1599c146d903b99f5245fc402b67b0f

SHA512
28bf5215e5090755725c81de6448a4d1e82315c6408e1a67957baf14348be0a2a6ce3bb074cd7cc17c3e4300e7677b4e1d984d04cbe43dab332379c368187ea9

Download Submit
memory/192-15-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/192-14-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/216-102-0x000001A3E5F80000-0x000001A3E6080000-memory.dmp

Filesize
1024KB

Download
memory/216-103-0x000001A3E5F80000-0x000001A3E6080000-memory.dmp

Filesize
1024KB

Download
memory/1176-126-0x00000203D1100000-0x00000203D1200000-memory.dmp

Filesize
1024KB

Download
memory/1176-166-0x00000203D1500000-0x00000203D1600000-memory.dmp

Filesize
1024KB

Download
memory/1176-167-0x00000203D1500000-0x00000203D1600000-memory.dmp

Filesize
1024KB

Download
memory/1176-140-0x00000203D1200000-0x00000203D1300000-memory.dmp

Filesize
1024KB

Download
memory/1176-125-0x00000203D1100000-0x00000203D1200000-memory.dmp

Filesize
1024KB

Download
memory/1176-124-0x00000203D1100000-0x00000203D1200000-memory.dmp

Filesize
1024KB

Download
memory/1176-120-0x00000203D0F00000-0x00000203D1000000-memory.dmp

Filesize
1024KB

Download
memory/1176-110-0x00000203BEB00000-0x00000203BEC00000-memory.dmp

Filesize
1024KB

Download
memory/1692-46-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/1692-47-0x000000000A600000-0x000000000A63E000-memory.dmp

Filesize
248KB

Download
memory/1692-45-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

Filesize
1.0MB

Download
memory/1692-48-0x0000000002330000-0x000000000237B000-memory.dmp

Filesize
300KB

Download
memory/1692-44-0x0000000009EE0000-0x000000000A4E6000-memory.dmp

Filesize
6.0MB

Download
memory/1692-43-0x0000000004960000-0x0000000004966000-memory.dmp

Filesize
24KB

Download
memory/1692-39-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/3012-95-0x000001C600970000-0x000001C600972000-memory.dmp

Filesize
8KB

Download
memory/3012-76-0x000001C67BC20000-0x000001C67BC30000-memory.dmp

Filesize
64KB

Download
memory/3012-60-0x000001C67BB20000-0x000001C67BB30000-memory.dmp

Filesize
64KB

Download
memory/4616-25-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download