3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab

Analysis

max time kernel
162s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
13-02-2022 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab.msi
Size

639KB
MD5

e007150906487c162a47e2ed102460e3
SHA1

19f4b3d82646e0872504d7862b0b01e3dc5822b8
SHA256

3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab
SHA512

7b14161d8cf731da5a580f479bc358183b91658717cefe4b76e1b89028eae2a633e3254b075597dc43d92d20e008fe36007b70409dbec95ce3749e52020a357f

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
52	3496	MsiExec.exe
64	3496	MsiExec.exe

Executes dropped EXE 1 IoCs

pid	Process
3468	lcBCB.tmp

Loads dropped DLL 5 IoCs

pid	Process
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe
3496	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6d3a6328-e2e5-48fe-b8a6-9bd169a7b9d4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220213114852.pma	setup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\1ce9d42.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\1ce9d42.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB13.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10A1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6D15FDC5-AEB4-453A-8CCA-ECA7F672ABBC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EEB.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
384	msedge.exe
384	msedge.exe
2840	msedge.exe
2840	msedge.exe
3488	msiexec.exe
3488	msiexec.exe
4800	identity_helper.exe
4800	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	492	msiexec.exe
Token: SeSecurityPrivilege	3488	msiexec.exe
Token: SeCreateTokenPrivilege	492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	492	msiexec.exe
Token: SeLockMemoryPrivilege	492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	492	msiexec.exe
Token: SeMachineAccountPrivilege	492	msiexec.exe
Token: SeTcbPrivilege	492	msiexec.exe
Token: SeSecurityPrivilege	492	msiexec.exe
Token: SeTakeOwnershipPrivilege	492	msiexec.exe
Token: SeLoadDriverPrivilege	492	msiexec.exe
Token: SeSystemProfilePrivilege	492	msiexec.exe
Token: SeSystemtimePrivilege	492	msiexec.exe
Token: SeProfSingleProcessPrivilege	492	msiexec.exe
Token: SeIncBasePriorityPrivilege	492	msiexec.exe
Token: SeCreatePagefilePrivilege	492	msiexec.exe
Token: SeCreatePermanentPrivilege	492	msiexec.exe
Token: SeBackupPrivilege	492	msiexec.exe
Token: SeRestorePrivilege	492	msiexec.exe
Token: SeShutdownPrivilege	492	msiexec.exe
Token: SeDebugPrivilege	492	msiexec.exe
Token: SeAuditPrivilege	492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	492	msiexec.exe
Token: SeChangeNotifyPrivilege	492	msiexec.exe
Token: SeRemoteShutdownPrivilege	492	msiexec.exe
Token: SeUndockPrivilege	492	msiexec.exe
Token: SeSyncAgentPrivilege	492	msiexec.exe
Token: SeEnableDelegationPrivilege	492	msiexec.exe
Token: SeManageVolumePrivilege	492	msiexec.exe
Token: SeImpersonatePrivilege	492	msiexec.exe
Token: SeCreateGlobalPrivilege	492	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
492	msiexec.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
492	msiexec.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3496	3488	msiexec.exe	65
PID 3488 wrote to memory of 3496	3488	msiexec.exe	65
PID 3488 wrote to memory of 3496	3488	msiexec.exe	65
PID 3496 wrote to memory of 4052	3496	MsiExec.exe	72
PID 3496 wrote to memory of 4052	3496	MsiExec.exe	72
PID 3496 wrote to memory of 4052	3496	MsiExec.exe	72
PID 4052 wrote to memory of 2840	4052	cmd.exe	76
PID 4052 wrote to memory of 2840	4052	cmd.exe	76
PID 2840 wrote to memory of 1884	2840	msedge.exe	77
PID 2840 wrote to memory of 1884	2840	msedge.exe	77
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 2052	2840	msedge.exe	78
PID 2840 wrote to memory of 384	2840	msedge.exe	79
PID 2840 wrote to memory of 384	2840	msedge.exe	79
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80
PID 2840 wrote to memory of 3720	2840	msedge.exe	80

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3f9a7292c3b4837477ef5d8181fae11e827753a575f0ee852546fe64c79389ab.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:492

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EA4444B87EC9C03BDF6B2C63E4AC9967
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://adobe.ly/2RY5GJR
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe403146f8,0x7ffe40314708,0x7ffe40314718
        5⤵
        
        PID:1884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:2052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
        5⤵
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
        5⤵
        
        PID:408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
        5⤵
        
        PID:3460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
        5⤵
        
        PID:3544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 /prefetch:8
        5⤵
        
        PID:832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
        5⤵
        
        PID:4772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
        5⤵
        
        PID:4912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:5004
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x254,0x258,0x25c,0x210,0x260,0x7ff7d0555460,0x7ff7d0555470,0x7ff7d0555480
        6⤵
        
        PID:5044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2196,7616622345260487090,711747350303543112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
        5⤵
        
        PID:2272
- - C:\Users\Admin\AppData\Local\Temp\lcBCB.tmp
    "C:\Users\Admin\AppData\Local\Temp\lcBCB.tmp"
    3⤵
    - Executes dropped EXE
    PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-145-0x00007FFE60040000-0x00007FFE60041000-memory.dmp

Filesize
4KB

Download