xred | 0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
58	1736	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	csrss1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	csrss3.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 28 IoCs

pid	Process
4456	csrss1.exe
4948	csrss2.exe
3892	svchost.exe
4980	svchost.exe
1980	svchost.exe
3572	._cache_csrss1.exe
1848	Synaptics.exe
1944	csrss3.exe
4424	WinStore.Ap.exe
1644	._cache_Synaptics.exe
4348	svchost.exe
2816	svchost.exe
3920	svchost.exe
464	._cache_csrss3.exe
4608	WinStore.Ap.exe
2064	svchost.exe
3132	svchost.exe
4836	svchost.exe
4372	setup.exe
3592	setup.exe
4136	setup.exe
4544	setup.exe
5036	setup.exe
4460	setup.exe
4596	setup.exe
4312	setup.exe
1476	setup.exe
2592	setup.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2976-11-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral2/memory/2976-14-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral2/memory/2976-379-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	csrss1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0004000000022b32-16.dat	upx
behavioral2/memory/4456-28-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/1848-152-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/4456-151-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/3572-223-0x0000000002870000-0x000000000287B000-memory.dmp	upx
behavioral2/memory/3572-222-0x0000000002840000-0x000000000285E000-memory.dmp	upx
behavioral2/memory/1644-320-0x00000000027B0000-0x00000000027CE000-memory.dmp	upx
behavioral2/memory/1644-321-0x00000000027E0000-0x00000000027EB000-memory.dmp	upx
behavioral2/memory/1848-380-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/1848-392-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/1848-410-0x0000000000400000-0x00000000009E4000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\dxcompiler.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ca-Es-VALENCIA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\BHO\ie_to_edge_stub.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\en-GB.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\133.0.3065.69.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vcruntime140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\da.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\onnxruntime.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wns_push_client.dll	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	WinStore.Ap.exe
File opened for modification	C:\Windows\svchost.exe	WinStore.Ap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3160	3892	WerFault.exe	93
4036	4348	WerFault.exe	104
3700	2064	WerFault.exe	113
2576	1644	WerFault.exe	102
4200	3572	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinStore.Ap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1744	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO\\ie_to_edge_bho.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_click_helper.exe\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
5036	setup.exe
5036	setup.exe
4368	LocalBridge.exe
4368	LocalBridge.exe
4368	LocalBridge.exe
4368	LocalBridge.exe
4368	LocalBridge.exe
4368	LocalBridge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4372	setup.exe
Token: SeIncBasePriorityPrivilege	4372	setup.exe
Token: SeDebugPrivilege	1744	wwahost.exe
Token: SeDebugPrivilege	1744	wwahost.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
3572	._cache_csrss1.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1084	EXCEL.EXE
464	._cache_csrss3.exe
464	._cache_csrss3.exe
1644	._cache_Synaptics.exe
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1744	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 4456	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 2976 wrote to memory of 4456	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 2976 wrote to memory of 4456	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 2976 wrote to memory of 4948	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	92
PID 2976 wrote to memory of 4948	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	92
PID 2976 wrote to memory of 4948	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	92
PID 3892 wrote to memory of 4980	3892	svchost.exe	94
PID 3892 wrote to memory of 4980	3892	svchost.exe	94
PID 3892 wrote to memory of 4980	3892	svchost.exe	94
PID 3892 wrote to memory of 1980	3892	svchost.exe	95
PID 3892 wrote to memory of 1980	3892	svchost.exe	95
PID 3892 wrote to memory of 1980	3892	svchost.exe	95
PID 4456 wrote to memory of 3572	4456	csrss1.exe	99
PID 4456 wrote to memory of 3572	4456	csrss1.exe	99
PID 4456 wrote to memory of 3572	4456	csrss1.exe	99
PID 4456 wrote to memory of 1848	4456	csrss1.exe	100
PID 4456 wrote to memory of 1848	4456	csrss1.exe	100
PID 4456 wrote to memory of 1848	4456	csrss1.exe	100
PID 2976 wrote to memory of 1944	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	101
PID 2976 wrote to memory of 1944	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	101
PID 2976 wrote to memory of 1944	2976	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	101
PID 3572 wrote to memory of 4424	3572	._cache_csrss1.exe	103
PID 3572 wrote to memory of 4424	3572	._cache_csrss1.exe	103
PID 3572 wrote to memory of 4424	3572	._cache_csrss1.exe	103
PID 1848 wrote to memory of 1644	1848	Synaptics.exe	102
PID 1848 wrote to memory of 1644	1848	Synaptics.exe	102
PID 1848 wrote to memory of 1644	1848	Synaptics.exe	102
PID 4348 wrote to memory of 2816	4348	svchost.exe	105
PID 4348 wrote to memory of 2816	4348	svchost.exe	105
PID 4348 wrote to memory of 2816	4348	svchost.exe	105
PID 4348 wrote to memory of 3920	4348	svchost.exe	106
PID 4348 wrote to memory of 3920	4348	svchost.exe	106
PID 4348 wrote to memory of 3920	4348	svchost.exe	106
PID 1944 wrote to memory of 464	1944	csrss3.exe	110
PID 1944 wrote to memory of 464	1944	csrss3.exe	110
PID 1944 wrote to memory of 464	1944	csrss3.exe	110
PID 1644 wrote to memory of 4608	1644	._cache_Synaptics.exe	112
PID 1644 wrote to memory of 4608	1644	._cache_Synaptics.exe	112
PID 1644 wrote to memory of 4608	1644	._cache_Synaptics.exe	112
PID 2064 wrote to memory of 3132	2064	svchost.exe	114
PID 2064 wrote to memory of 3132	2064	svchost.exe	114
PID 2064 wrote to memory of 3132	2064	svchost.exe	114
PID 2064 wrote to memory of 4836	2064	svchost.exe	115
PID 2064 wrote to memory of 4836	2064	svchost.exe	115
PID 2064 wrote to memory of 4836	2064	svchost.exe	115
PID 3624 wrote to memory of 4372	3624	MicrosoftEdge_X64_133.0.3065.69.exe	134
PID 3624 wrote to memory of 4372	3624	MicrosoftEdge_X64_133.0.3065.69.exe	134
PID 4372 wrote to memory of 3592	4372	setup.exe	135
PID 4372 wrote to memory of 3592	4372	setup.exe	135
PID 4372 wrote to memory of 4136	4372	setup.exe	136
PID 4372 wrote to memory of 4136	4372	setup.exe	136
PID 4136 wrote to memory of 4544	4136	setup.exe	137
PID 4136 wrote to memory of 4544	4136	setup.exe	137
PID 4372 wrote to memory of 5036	4372	setup.exe	138
PID 4372 wrote to memory of 5036	4372	setup.exe	138
PID 4372 wrote to memory of 4460	4372	setup.exe	139
PID 4372 wrote to memory of 4460	4372	setup.exe	139
PID 5036 wrote to memory of 4596	5036	setup.exe	140
PID 5036 wrote to memory of 4596	5036	setup.exe	140
PID 4372 wrote to memory of 4312	4372	setup.exe	141
PID 4372 wrote to memory of 4312	4372	setup.exe	141
PID 4460 wrote to memory of 1476	4460	setup.exe	142
PID 4460 wrote to memory of 1476	4460	setup.exe	142
PID 4312 wrote to memory of 2592	4312	setup.exe	144

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
"C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1404
      4⤵
      Program crash
      PID:4200
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1324
        5⤵
        Program crash
        
        PID:2576
- C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:464

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 408
  2⤵
  - Program crash
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3892 -ip 3892
1⤵
PID:1164

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 368
  2⤵
  - Program crash
  PID:4036

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4348 -ip 4348
1⤵
PID:2872

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 332
  2⤵
  - Program crash
  PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1644 -ip 1644
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3572 -ip 3572
1⤵
PID:1868

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzc2OEMyMTctQzc2Mi00RDc2LUE3QTgtMjdDOUY5N0U0NTg1fSIgdXNlcmlkPSJ7NjJCNEJGOEItNzEwMS00MEJDLTk5MTctRUJDRTEzRjNBNEEyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUNENTg1OEYtQUU0Qi00REUwLUI4OEEtQUM0NkU5M0EwRjVDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQxODQ4NjYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1744

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4372
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff62d7a6a68,0x7ff62d7a6a74,0x7ff62d7a6a80
    3⤵
    - Executes dropped EXE
    PID:3592
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3902C35C-C63A-4274-87F1-F7CDEC8DF86A}\EDGEMITMP_6FD88.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff62d7a6a68,0x7ff62d7a6a74,0x7ff62d7a6a80
      4⤵
      Executes dropped EXE
      PID:4544
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a5926a68,0x7ff7a5926a74,0x7ff7a5926a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a5926a68,0x7ff7a5926a74,0x7ff7a5926a80
      4⤵
      Executes dropped EXE
      PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7a5926a68,0x7ff7a5926a74,0x7ff7a5926a80
      4⤵
      Executes dropped EXE
      PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:456

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery