3ce6c698fd08c3b2aef2e2698ffee9e596b3b33ed3b78095a4e0430f1a577c16

Analysis

max time kernel
53s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoSetup.exe
Size

536KB
MD5

6d93a2baab5525576367509416853525
SHA1

4c2984403e224302de125ad81a011aff551fcce8
SHA256

3ce6c698fd08c3b2aef2e2698ffee9e596b3b33ed3b78095a4e0430f1a577c16
SHA512

2cefe0310dce1aeb2fe61d459c0f284ffe1bc87d64aa402d8e82e3b8ab15cb2b5ed71ee79eff80d753e2b4e6d3a8cef9c9c97c041937067dd6105096765aded2
SSDEEP

6144:QYEzHrx2LNt+AvAikMy9v76alBHLSaesSkiAvHXL9yxAYQhr5ohUBr6oxPXuXxCZ:amnvJkPvualtysrHXLCALoKfCcpHcg

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Executes dropped EXE 3 IoCs

pid	Process
1476	VC_redist.x64.exe
3004	VC_redist.x64.exe
3156	VC_redist.x64.exe

Loads dropped DLL 1 IoCs

pid	Process
3004	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\VC_redist.x64.exe	AutoSetup.exe
File created	C:\Windows\VC_redist.x86.exe	AutoSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b893ca0f38e622ee0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b893ca0f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b893ca0f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b893ca0f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b893ca0f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
4684	msedge.exe
4684	msedge.exe
4448	identity_helper.exe
4448	identity_helper.exe
4084	msedge.exe
4084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3128	WMIC.exe
Token: SeSecurityPrivilege	3128	WMIC.exe
Token: SeTakeOwnershipPrivilege	3128	WMIC.exe
Token: SeLoadDriverPrivilege	3128	WMIC.exe
Token: SeSystemProfilePrivilege	3128	WMIC.exe
Token: SeSystemtimePrivilege	3128	WMIC.exe
Token: SeProfSingleProcessPrivilege	3128	WMIC.exe
Token: SeIncBasePriorityPrivilege	3128	WMIC.exe
Token: SeCreatePagefilePrivilege	3128	WMIC.exe
Token: SeBackupPrivilege	3128	WMIC.exe
Token: SeRestorePrivilege	3128	WMIC.exe
Token: SeShutdownPrivilege	3128	WMIC.exe
Token: SeDebugPrivilege	3128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3128	WMIC.exe
Token: SeRemoteShutdownPrivilege	3128	WMIC.exe
Token: SeUndockPrivilege	3128	WMIC.exe
Token: SeManageVolumePrivilege	3128	WMIC.exe
Token: 33	3128	WMIC.exe
Token: 34	3128	WMIC.exe
Token: 35	3128	WMIC.exe
Token: 36	3128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe
Token: SeSecurityPrivilege	3288	WMIC.exe
Token: SeTakeOwnershipPrivilege	3288	WMIC.exe
Token: SeLoadDriverPrivilege	3288	WMIC.exe
Token: SeSystemProfilePrivilege	3288	WMIC.exe
Token: SeSystemtimePrivilege	3288	WMIC.exe
Token: SeProfSingleProcessPrivilege	3288	WMIC.exe
Token: SeIncBasePriorityPrivilege	3288	WMIC.exe
Token: SeCreatePagefilePrivilege	3288	WMIC.exe
Token: SeBackupPrivilege	3288	WMIC.exe
Token: SeRestorePrivilege	3288	WMIC.exe
Token: SeShutdownPrivilege	3288	WMIC.exe
Token: SeDebugPrivilege	3288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3288	WMIC.exe
Token: SeRemoteShutdownPrivilege	3288	WMIC.exe
Token: SeUndockPrivilege	3288	WMIC.exe
Token: SeManageVolumePrivilege	3288	WMIC.exe
Token: 33	3288	WMIC.exe
Token: 34	3288	WMIC.exe
Token: 35	3288	WMIC.exe
Token: 36	3288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3288	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe
4684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3648	3280	AutoSetup.exe	89
PID 3280 wrote to memory of 3648	3280	AutoSetup.exe	89
PID 3648 wrote to memory of 4684	3648	cmd.exe	90
PID 3648 wrote to memory of 4684	3648	cmd.exe	90
PID 3280 wrote to memory of 4640	3280	AutoSetup.exe	93
PID 3280 wrote to memory of 4640	3280	AutoSetup.exe	93
PID 4640 wrote to memory of 3128	4640	cmd.exe	94
PID 4640 wrote to memory of 3128	4640	cmd.exe	94
PID 4684 wrote to memory of 4016	4684	msedge.exe	95
PID 4684 wrote to memory of 4016	4684	msedge.exe	95
PID 3280 wrote to memory of 1488	3280	AutoSetup.exe	97
PID 3280 wrote to memory of 1488	3280	AutoSetup.exe	97
PID 1488 wrote to memory of 3288	1488	cmd.exe	98
PID 1488 wrote to memory of 3288	1488	cmd.exe	98
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 4276	4684	msedge.exe	99
PID 4684 wrote to memory of 1572	4684	msedge.exe	100
PID 4684 wrote to memory of 1572	4684	msedge.exe	100
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101
PID 4684 wrote to memory of 1876	4684	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AutoSetup.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://www.sordum.org/files/downloads.php?st-defender-control 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.sordum.org/files/downloads.php?st-defender-control
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4f9246f8,0x7ffb4f924708,0x7ffb4f924718
      4⤵
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:4276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
      4⤵
      PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
      4⤵
      PID:1408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:2916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4588 /prefetch:8
      4⤵
      PID:2736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9445030556576322144,13081209334173225585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
      4⤵
      PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC CPU Get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC CPU Get VirtualizationFirmwareEnabled
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x64.exe /setup /q /norestart 2>nul
  2⤵
  PID:4300
- - C:\Windows\VC_redist.x64.exe
    C:\Windows\VC_redist.x64.exe /setup /q /norestart
    3⤵
    - Executes dropped EXE
    PID:1476
  - - C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Windows\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=700 /setup /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:3004
    - - C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B6CFCD4C-FCF6-4CD1-88D9-6EDA5617C29A} {72B6E753-6582-4329-9456-D283C9FB1584} 3004
        5⤵
        Executes dropped EXE
        
        PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c3b82d0648d5c9ee1b84bc1c800793f

SHA1
1d3fea06d346a1f715b7eb5630d8b7da304037ef

SHA256
577f1814f2f96a801b6c30eccfe261b890fa4015b6d8547cb9310ef976646fb0

SHA512
19d159d7ad12271d62a842da2eb0cd5fe54326304f53b439c7dcf88a60c2793297ed9e15d8bffe9b001807a11364e92bcd1780fc76aed052552ee5eeb5d1e5a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e06ec99113f04cef12b23d29b3bc79d7

SHA1
50d662fc0f4cad22de90cbc729b0e7575ce21324

SHA256
f7645f7fb4fa3224baa30e0e35d055048166e708a121a2911a8ae138bb1c602c

SHA512
804ce037f4514bfadb8bfdb7a2d122302907236f4e8fe6664772322fed8bd40a4b86f34c3020c68f835d40b28f709312aa90eccd3da8d9f1adde1a965363be05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e41610d8be01e561d15e03ead4c7131d

SHA1
382b3d525fd2a8dea7289d62858fe422b7155349

SHA256
63a0e591beb77c918e7cab7f10fdf6e2f22d4096837b30fa7c68affa2448725a

SHA512
59ecb5f7f0048a99fa921bbabde1bab6e048be1522ab5ed0e402d1de5b26dc834b1597bd7c93d9d517b2e0fc7d8fd67ce7366cf168ed61effbbcead5cc2c4f0f

Download Submit
C:\Users\Admin\Downloads\contd.rar

Filesize
446KB

MD5
958f7ac57aa235e121c10593655e03c6

SHA1
d0e07820a1dd4ad287d2b93a946c7614f3fdaf8f

SHA256
3cc1892a96ab9b05016393fb5a74f8854f3ddf0eebd7a1e9233cbc89c87ae913

SHA512
4641957e4ab58494328557b92ed59bdb93c2d8a6be11ea10ef5c4f79ace73e779b75189c2273f82d7d540bc6a1c59a89b775dece7989fb937f7dc0dadbd0980c

Download Submit
C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{B360C2F5-E9D1-4FEE-9F81-F70F46DAD3C6}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{C8006345-BF8B-4943-A8C5-F2AFDF1E581B}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\VC_redist.x64.exe

Filesize
24.2MB

MD5
077f0abdc2a3881d5c6c774af821f787

SHA1
c483f66c48ba83e99c764d957729789317b09c6b

SHA256
917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

SHA512
70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

Download Submit
C:\Windows\VC_redist.x64.exe

Filesize
24.2MB

MD5
077f0abdc2a3881d5c6c774af821f787

SHA1
c483f66c48ba83e99c764d957729789317b09c6b

SHA256
917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

SHA512
70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

Download Submit
C:\Windows\VC_redist.x64.exe

Filesize
24.2MB

MD5
077f0abdc2a3881d5c6c774af821f787

SHA1
c483f66c48ba83e99c764d957729789317b09c6b

SHA256
917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

SHA512
70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

Download Submit