Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
AutoSetup.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
AutoSetup.exe
Resource
win10v2004-20230703-en
General
-
Target
AutoSetup.exe
-
Size
536KB
-
MD5
6d93a2baab5525576367509416853525
-
SHA1
4c2984403e224302de125ad81a011aff551fcce8
-
SHA256
3ce6c698fd08c3b2aef2e2698ffee9e596b3b33ed3b78095a4e0430f1a577c16
-
SHA512
2cefe0310dce1aeb2fe61d459c0f284ffe1bc87d64aa402d8e82e3b8ab15cb2b5ed71ee79eff80d753e2b4e6d3a8cef9c9c97c041937067dd6105096765aded2
-
SSDEEP
6144:QYEzHrx2LNt+AvAikMy9v76alBHLSaesSkiAvHXL9yxAYQhr5ohUBr6oxPXuXxCZ:amnvJkPvualtysrHXLCALoKfCcpHcg
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation VC_redist.x64.exe -
Executes dropped EXE 3 IoCs
pid Process 1476 VC_redist.x64.exe 3004 VC_redist.x64.exe 3156 VC_redist.x64.exe -
Loads dropped DLL 1 IoCs
pid Process 3004 VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\VC_redist.x64.exe AutoSetup.exe File created C:\Windows\VC_redist.x86.exe AutoSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b893ca0f38e622ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b893ca0f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b893ca0f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b893ca0f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b893ca0f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1572 msedge.exe 1572 msedge.exe 4684 msedge.exe 4684 msedge.exe 4448 identity_helper.exe 4448 identity_helper.exe 4084 msedge.exe 4084 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3128 WMIC.exe Token: SeSecurityPrivilege 3128 WMIC.exe Token: SeTakeOwnershipPrivilege 3128 WMIC.exe Token: SeLoadDriverPrivilege 3128 WMIC.exe Token: SeSystemProfilePrivilege 3128 WMIC.exe Token: SeSystemtimePrivilege 3128 WMIC.exe Token: SeProfSingleProcessPrivilege 3128 WMIC.exe Token: SeIncBasePriorityPrivilege 3128 WMIC.exe Token: SeCreatePagefilePrivilege 3128 WMIC.exe Token: SeBackupPrivilege 3128 WMIC.exe Token: SeRestorePrivilege 3128 WMIC.exe Token: SeShutdownPrivilege 3128 WMIC.exe Token: SeDebugPrivilege 3128 WMIC.exe Token: SeSystemEnvironmentPrivilege 3128 WMIC.exe Token: SeRemoteShutdownPrivilege 3128 WMIC.exe Token: SeUndockPrivilege 3128 WMIC.exe Token: SeManageVolumePrivilege 3128 WMIC.exe Token: 33 3128 WMIC.exe Token: 34 3128 WMIC.exe Token: 35 3128 WMIC.exe Token: 36 3128 WMIC.exe Token: SeIncreaseQuotaPrivilege 3128 WMIC.exe Token: SeSecurityPrivilege 3128 WMIC.exe Token: SeTakeOwnershipPrivilege 3128 WMIC.exe Token: SeLoadDriverPrivilege 3128 WMIC.exe Token: SeSystemProfilePrivilege 3128 WMIC.exe Token: SeSystemtimePrivilege 3128 WMIC.exe Token: SeProfSingleProcessPrivilege 3128 WMIC.exe Token: SeIncBasePriorityPrivilege 3128 WMIC.exe Token: SeCreatePagefilePrivilege 3128 WMIC.exe Token: SeBackupPrivilege 3128 WMIC.exe Token: SeRestorePrivilege 3128 WMIC.exe Token: SeShutdownPrivilege 3128 WMIC.exe Token: SeDebugPrivilege 3128 WMIC.exe Token: SeSystemEnvironmentPrivilege 3128 WMIC.exe Token: SeRemoteShutdownPrivilege 3128 WMIC.exe Token: SeUndockPrivilege 3128 WMIC.exe Token: SeManageVolumePrivilege 3128 WMIC.exe Token: 33 3128 WMIC.exe Token: 34 3128 WMIC.exe Token: 35 3128 WMIC.exe Token: 36 3128 WMIC.exe Token: SeIncreaseQuotaPrivilege 3288 WMIC.exe Token: SeSecurityPrivilege 3288 WMIC.exe Token: SeTakeOwnershipPrivilege 3288 WMIC.exe Token: SeLoadDriverPrivilege 3288 WMIC.exe Token: SeSystemProfilePrivilege 3288 WMIC.exe Token: SeSystemtimePrivilege 3288 WMIC.exe Token: SeProfSingleProcessPrivilege 3288 WMIC.exe Token: SeIncBasePriorityPrivilege 3288 WMIC.exe Token: SeCreatePagefilePrivilege 3288 WMIC.exe Token: SeBackupPrivilege 3288 WMIC.exe Token: SeRestorePrivilege 3288 WMIC.exe Token: SeShutdownPrivilege 3288 WMIC.exe Token: SeDebugPrivilege 3288 WMIC.exe Token: SeSystemEnvironmentPrivilege 3288 WMIC.exe Token: SeRemoteShutdownPrivilege 3288 WMIC.exe Token: SeUndockPrivilege 3288 WMIC.exe Token: SeManageVolumePrivilege 3288 WMIC.exe Token: 33 3288 WMIC.exe Token: 34 3288 WMIC.exe Token: 35 3288 WMIC.exe Token: 36 3288 WMIC.exe Token: SeIncreaseQuotaPrivilege 3288 WMIC.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe 4684 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 3648 3280 AutoSetup.exe 89 PID 3280 wrote to memory of 3648 3280 AutoSetup.exe 89 PID 3648 wrote to memory of 4684 3648 cmd.exe 90 PID 3648 wrote to memory of 4684 3648 cmd.exe 90 PID 3280 wrote to memory of 4640 3280 AutoSetup.exe 93 PID 3280 wrote to memory of 4640 3280 AutoSetup.exe 93 PID 4640 wrote to memory of 3128 4640 cmd.exe 94 PID 4640 wrote to memory of 3128 4640 cmd.exe 94 PID 4684 wrote to memory of 4016 4684 msedge.exe 95 PID 4684 wrote to memory of 4016 4684 msedge.exe 95 PID 3280 wrote to memory of 1488 3280 AutoSetup.exe 97 PID 3280 wrote to memory of 1488 3280 AutoSetup.exe 97 PID 1488 wrote to memory of 3288 1488 cmd.exe 98 PID 1488 wrote to memory of 3288 1488 cmd.exe 98 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 4276 4684 msedge.exe 99 PID 4684 wrote to memory of 1572 4684 msedge.exe 100 PID 4684 wrote to memory of 1572 4684 msedge.exe 100 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 PID 4684 wrote to memory of 1876 4684 msedge.exe 101 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe"C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://www.sordum.org/files/downloads.php?st-defender-control 2>nul2⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.sordum.org/files/downloads.php?st-defender-control3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4f9246f8,0x7ffb4f924708,0x7ffb4f9247184⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:84⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵PID:2952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:84⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:14⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:14⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:14⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4588 /prefetch:84⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:14⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:14⤵PID:4632
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC CPU Get VirtualizationFirmwareEnabled2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\Wbem\WMIC.exeWMIC CPU Get VirtualizationFirmwareEnabled3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x64.exe /setup /q /norestart 2>nul2⤵PID:4300
-
C:\Windows\VC_redist.x64.exeC:\Windows\VC_redist.x64.exe /setup /q /norestart3⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Windows\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=700 /setup /q /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe"C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B6CFCD4C-FCF6-4CD1-88D9-6EDA5617C29A} {72B6E753-6582-4329-9456-D283C9FB1584} 30045⤵
- Executes dropped EXE
PID:3156
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:1112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f6f47b83c67fe32ee32811d6611d269c
SHA1b32353d1d0ed26e0dd5b5f1f402ffd41a105d025
SHA256ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc
SHA5126ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD51c3b82d0648d5c9ee1b84bc1c800793f
SHA11d3fea06d346a1f715b7eb5630d8b7da304037ef
SHA256577f1814f2f96a801b6c30eccfe261b890fa4015b6d8547cb9310ef976646fb0
SHA51219d159d7ad12271d62a842da2eb0cd5fe54326304f53b439c7dcf88a60c2793297ed9e15d8bffe9b001807a11364e92bcd1780fc76aed052552ee5eeb5d1e5a7
-
Filesize
5KB
MD5e06ec99113f04cef12b23d29b3bc79d7
SHA150d662fc0f4cad22de90cbc729b0e7575ce21324
SHA256f7645f7fb4fa3224baa30e0e35d055048166e708a121a2911a8ae138bb1c602c
SHA512804ce037f4514bfadb8bfdb7a2d122302907236f4e8fe6664772322fed8bd40a4b86f34c3020c68f835d40b28f709312aa90eccd3da8d9f1adde1a965363be05
-
Filesize
24KB
MD55544c64f2a8f49dabc19eb84267b1c9b
SHA1c5b78d63a8bab1c7b985f7ea2f268d0d7809071e
SHA256a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f
SHA51238c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5e41610d8be01e561d15e03ead4c7131d
SHA1382b3d525fd2a8dea7289d62858fe422b7155349
SHA25663a0e591beb77c918e7cab7f10fdf6e2f22d4096837b30fa7c68affa2448725a
SHA51259ecb5f7f0048a99fa921bbabde1bab6e048be1522ab5ed0e402d1de5b26dc834b1597bd7c93d9d517b2e0fc7d8fd67ce7366cf168ed61effbbcead5cc2c4f0f
-
Filesize
446KB
MD5958f7ac57aa235e121c10593655e03c6
SHA1d0e07820a1dd4ad287d2b93a946c7614f3fdaf8f
SHA2563cc1892a96ab9b05016393fb5a74f8854f3ddf0eebd7a1e9233cbc89c87ae913
SHA5124641957e4ab58494328557b92ed59bdb93c2d8a6be11ea10ef5c4f79ace73e779b75189c2273f82d7d540bc6a1c59a89b775dece7989fb937f7dc0dadbd0980c
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
Filesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
Filesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939