hxxps://download2391[.]mediafire[.]com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack[.]exe

Analysis

max time kernel
150s
max time network
141s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02/04/2023, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Downloads MZ/PE file

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4228	icacls.exe
3692	takeown.exe
4504	icacls.exe
2104	icacls.exe

Executes dropped EXE 4 IoCs

pid	Process
4220	Win_Icon_Pack.exe
4204	iPack_Installer.exe
2044	7z.exe
4764	Patcher.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2104	icacls.exe
4228	icacls.exe
3692	takeown.exe
4504	icacls.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000001ad11-183.dat	upx
behavioral1/files/0x000200000001ad11-184.dat	upx
behavioral1/memory/4220-185-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/files/0x000700000001af7e-236.dat	upx
behavioral1/files/0x000700000001af7e-238.dat	upx
behavioral1/memory/4220-241-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2044-242-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2044-249-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x0004000000000691-280.dat	upx
behavioral1/files/0x0004000000000691-281.dat	upx
behavioral1/memory/4764-282-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-291-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-290-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-296-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-299-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-306-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-310-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-312-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4764-314-0x0000000000400000-0x0000000000521000-memory.dmp	upx

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\ACL\System32\imageres.dll.AclFile	icacls.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.ini	Patcher.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.7z	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Windows 10 Insider.log	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\7z.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.log	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1416	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248961972054581"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe
1820	chrome.exe
1820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe
Token: SeShutdownPrivilege	2504	chrome.exe
Token: SeCreatePagefilePrivilege	2504	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
4220	Win_Icon_Pack.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe
2504	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4220	Win_Icon_Pack.exe
4204	iPack_Installer.exe
4204	iPack_Installer.exe
2044	7z.exe
4764	Patcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2496	2504	chrome.exe	66
PID 2504 wrote to memory of 2496	2504	chrome.exe	66
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4148	2504	chrome.exe	68
PID 2504 wrote to memory of 4816	2504	chrome.exe	69
PID 2504 wrote to memory of 4816	2504	chrome.exe	69
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70
PID 2504 wrote to memory of 4844	2504	chrome.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc968c9758,0x7ffc968c9768,0x7ffc968c9778
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4684 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5340 --field-trial-handle=1692,i,4055840312549265955,16128260915445913073,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2712

C:\Users\Admin\Downloads\Win_Icon_Pack.exe
"C:\Users\Admin\Downloads\Win_Icon_Pack.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4220
- C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe
  "C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4204
- - C:\Program Files (x86)\Windows 10 Insider\7z.exe
    "C:\Program Files (x86)\Windows 10 Insider\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 10 Insider\Resource.7z"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:2044
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1416
- - C:\Windows\System32\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Drops file in Program Files directory
    PID:4228
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit
    3⤵
    PID:4596
  - - C:\Windows\system32\takeown.exe
      takeown /a /F "C:\Windows\System32\imageres.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3692
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4504
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2104
- - C:\Program Files (x86)\Windows 10 Insider\Patcher.exe
    "C:\Program Files (x86)\Windows 10 Insider\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1004

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows 10 Insider\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe

Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe

Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll

Filesize
22.5MB

MD5
ef790f21def0d06d9bc23978de3d8cd4

SHA1
a34367b94b0095cd12528a00e5cc07a57c20269a

SHA256
078d93433a113e458677df1cb6c323c27f33fc641bb1307ba7eb75ba5724037e

SHA512
bfe5a0018d5f4490fdec0190005e70762dd0d6745dae68d16494b4b574f11098dab1687a45f248415ed219a96a0d1a11e9e8c34d25c49da7ccacb2dabfeccbfc

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res

Filesize
36.1MB

MD5
cdcf3c73452336ef09c2d6b149e00dc3

SHA1
50fef89141c4912e58ba8acf625b1274fd8129f8

SHA256
8015634f7a794831793baceea236a771d3edeaf1251be0beee67e03327692661

SHA512
1069e30ceaa4e098d3cc9b022a77a8ed2c4316c1d1394b729a01b9fbaed90d040d3138439c4cae1548f05be9270f2f9bea29f10f223f65ad4c1fdb861f95ef3f

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.7z

Filesize
11.0MB

MD5
dab17c10540ea981f10b4748105a3d77

SHA1
a519f703f27e9b854e2abaa6547613851b107d68

SHA256
20ae9faeac4e7940a444728a349706822b22bde7194e228167cc0424cb861165

SHA512
4b45cc7f4ed50db62d829c0070da009611dc3838958e9365c51549f4d6111c83ec1aa399366c6fdb5f51fff644f1b8c686f5c49ca1e01daad0fe3ebc1f0ed91d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.iPack

Filesize
11.0MB

MD5
c78e3a380550933edf0c910d164b2722

SHA1
c6c4245da1b27ecb559f547c76e3a9d97d4ad50c

SHA256
2418dfbdb9c97e90cf7eb63d249cef3c6efec5c183557ea131166baf5db1dc09

SHA512
2aa4fa14b0e4c4db3aa506398cb7d7470136df9d95869aa998f1b9ce42023d7763055821b65ec8eb97567e5c36baae42613a521f2dc5e4901eec2e71c484942d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config

Filesize
249B

MD5
d02ca78c6eefd91f71c7a7622e796370

SHA1
fb6d069345127acba59038030083742d2236a3d1

SHA256
cece5ea9e14a2821ee8fbd6616f6f93f73e7641f4715bc24e8a4dbeaeff1ef81

SHA512
e82b4cd02ffd0199068292d9fdb57d70bef29bc33eaef5e327293268d14ce7cebb03997a8048e93c8bb4fe4b2d5096608c17ffdeab98d09b60771c84665f023d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt

Filesize
941B

MD5
a12a2d3a14e3a6dc6250bd7ab5e399c0

SHA1
a9eb44510c98d2a066875e4e09904f70333cf8b6

SHA256
7893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d

SHA512
af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png

Filesize
18KB

MD5
05881c368816adce83f69ebe8cdd1e66

SHA1
f96830c41d327e818c36662e1e08bee2b3fc30c7

SHA256
95debde2e09114ccb0838aaa2a35dba65061c87cd3430bc1a1e0f05d14d930a2

SHA512
28480acd811e0ef863b96aa141b5278f8ee16820c400359d70c6b2c8780f35a217c1e5f563aecbc6b4f80eddc399a3884835d1e63a03bc3a69c09d6cd26f573a

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png

Filesize
21KB

MD5
21da3154a1bc6d1d582ba74191f6756e

SHA1
2e48ce7cc1c888d2525750200e6dd21c14b7f59c

SHA256
dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e

SHA512
eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe

Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe

Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config

Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c279542ba0c37b1ea81fdf5c0dd817a

SHA1
0e13c5f00c194bbb8bb1fecfc66dca6cd166847f

SHA256
ad2248a4e07d81fcae9bab4bb9c13b3590081f0a684819ad4e068e48a65f6949

SHA512
dbd5880a729386b850eb9eddd7a628d0556e15bfda3b7e2465360785e1c87c9204cbf900e5373aa838072731cb71ee80c54410f72aa8d4f2972730a98637945d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ff56d134156c8173c48733f49d729060

SHA1
0d2b5f840df49af3ff7f7f749b4510d66d93b7ce

SHA256
136c5f10f45178ba1e4ceb2f3691dddf51eabfd9d8cf9333e90d7accf9e6fc25

SHA512
5234f2adf4f26e037d86976500d715a41462a6fb235661f59da7c428417cf9cffdeb124d8dddad25127147d5d54f4b250c3dc72d679e66c0611444b62453d74b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bc33900b7e5148e93498c9f948a9a399

SHA1
0b45ac1795c72cd31f925f29c365efd745eb8dba

SHA256
6faafcbf55917b2d42f2fe6402cc27a93950302ab522da5b6bc676b4d9038998

SHA512
115bad03edc73fd61c37a780b674c2c5443b3388de8a3cb59a4ac69c4239d8441ba47639699abd28c2d4f25bcac754680e0fe16f5e8105ee3be0504f423ad2b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fc44326418f6ea112aa61186b695eb8c

SHA1
1d7da09547560620955beb9a683d58f9b3d38f41

SHA256
3e038487d4295b9806186b0d89f4e50827f73417f57d5aaf9f24c825675f2ad8

SHA512
4f391cc72f39b1c8c0239446ac77ec62bcdd37c20200cf4dde1b0edd735f4b6ae485b2bfd92a481c413f4e221486ebe3b1cb1d3cb80d3d79d703d7c3da5236ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
612c578b7ba85c0fcb1dd6641f1abe1c

SHA1
3d4e1674742aff2084cd76d3fb389fdb792766bd

SHA256
2a1e12e861b8319c461b4f07eb1733bcf8326e41d4f9593bb7d8e2d810fcfd01

SHA512
ea907ac96f4b64da63700985243f1accbd8e13aaff22239ce1e5d030c0d55ab99a6109d59e81f0b7e47850cb1667adef07100b0bc1df8c8679efd312c69daa2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Win_Icon_Pack.exe

Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
C:\Users\Admin\Downloads\Win_Icon_Pack.exe

Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
memory/1004-286-0x00000180A0C60000-0x00000180A0CE2000-memory.dmp

Filesize
520KB

Download
memory/1004-305-0x00000180A0C60000-0x00000180A0CE2000-memory.dmp

Filesize
520KB

Download
memory/2044-249-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2044-242-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4204-252-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-211-0x000000001CAC0000-0x000000001CB0C000-memory.dmp

Filesize
304KB

Download
memory/4204-231-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-230-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-229-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-205-0x0000000000D90000-0x0000000000E8E000-memory.dmp

Filesize
1016KB

Download
memory/4204-226-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-213-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-214-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-251-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-212-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-253-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-254-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-255-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-256-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-257-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-258-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4204-259-0x0000000021150000-0x0000000021250000-memory.dmp

Filesize
1024KB

Download
memory/4204-263-0x0000000021150000-0x0000000021250000-memory.dmp

Filesize
1024KB

Download
memory/4204-293-0x0000000021150000-0x0000000021250000-memory.dmp

Filesize
1024KB

Download
memory/4204-210-0x00000000016E0000-0x00000000016E8000-memory.dmp

Filesize
32KB

Download
memory/4204-209-0x000000001C860000-0x000000001C8FC000-memory.dmp

Filesize
624KB

Download
memory/4204-206-0x000000001BCB0000-0x000000001BD56000-memory.dmp

Filesize
664KB

Download
memory/4204-207-0x000000001C280000-0x000000001C74E000-memory.dmp

Filesize
4.8MB

Download
memory/4204-284-0x0000000021150000-0x0000000021250000-memory.dmp

Filesize
1024KB

Download
memory/4204-208-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/4220-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4220-241-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4764-296-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-291-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-292-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4764-290-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-283-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4764-299-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-282-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-306-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-310-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-312-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4764-314-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download