89e2878d0a774e09950388d581f75fe27264bc818ea725afd4403ecfa9dcf729

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	VC_redist.x86.exe

Executes dropped EXE 6 IoCs

pid	Process
5404	VC_redist.x64.exe
5648	VC_redist.x64.exe
5940	VC_redist.x64.exe
2236	VC_redist.x86.exe
4800	VC_redist.x86.exe
6132	VC_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
5648	VC_redist.x64.exe
5784	VC_redist.x64.exe
4800	VC_redist.x86.exe
5688	backgroundTaskHost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1de5e707-82da-4db6-b810-5d140cc4cbb3} = "\"C:\\ProgramData\\Package Cache\\{1de5e707-82da-4db6-b810-5d140cc4cbb3}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9} = "\"C:\\ProgramData\\Package Cache\\{2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA6C1.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a32e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB05A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5CA9AE7B-2EFC-4F02-81CD-32ABE173C755}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57a318.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a319.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a341.msi	msiexec.exe
File created	C:\Windows\Installer\e57a319.msi	msiexec.exe
File created	C:\Windows\Installer\e57a32f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a32f.msi	msiexec.exe
File created	C:\Windows\Installer\e57a340.msi	msiexec.exe
File created	C:\Windows\VC_redist.x64.exe	Loader_Setup.exe
File opened for modification	C:\Windows\Installer\MSIA43F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a306.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA78D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DF1B52DF-C88E-4DDF-956B-6E7A03327F46}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEA4.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA50B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1CA7421F-A225-4A9C-B320-A36981A2B789}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE07.tmp	msiexec.exe
File created	C:\Windows\VC_redist.x86.exe	Loader_Setup.exe
File created	C:\Windows\Installer\e57a306.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB136.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a356.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57a341.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD25B1FDE88CFDD459B6E6A73023F764	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents\{2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9}	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1CA7421F-A225-4A9C-B320-A36981A2B789}v14.38.33130\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33130.0"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD25B1FDE88CFDD459B6E6A73023F764\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7EA9AC5CFE220F418DC23BA1E377C55	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\ = "{5CA9AE7B-2EFC-4F02-81CD-32ABE173C755}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\BD77713C1C1591B4F90883FEC5D1C798	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FD25B1FDE88CFDD459B6E6A73023F764\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7EA9AC5CFE220F418DC23BA1E377C55\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD25B1FDE88CFDD459B6E6A73023F764\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{DF1B52DF-C88E-4DDF-956B-6E7A03327F46}v14.38.33130\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{1CA7421F-A225-4A9C-B320-A36981A2B789}v14.38.33130\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD25B1FDE88CFDD459B6E6A73023F764\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\PackageCode = "CF8D99F18D126444D855C9CF7FA31BCA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\F1247AC1522AC9A43B023A96182A7B98	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7EA9AC5CFE220F418DC23BA1E377C55\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{5CA9AE7B-2EFC-4F02-81CD-32ABE173C755}v14.38.33130\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FD25B1FDE88CFDD459B6E6A73023F764\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{DF1B52DF-C88E-4DDF-956B-6E7A03327F46}v14.38.33130\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7EA9AC5CFE220F418DC23BA1E377C55\Provider	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Version = "237404522"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9}	VC_redist.x86.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
624	msedge.exe
624	msedge.exe
3160	identity_helper.exe
3160	identity_helper.exe
4568	msedge.exe
4568	msedge.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
5876	msiexec.exe
6028	msedge.exe
6028	msedge.exe
6028	msedge.exe
6028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe
Token: 33	3756	WMIC.exe
Token: 34	3756	WMIC.exe
Token: 35	3756	WMIC.exe
Token: 36	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe
Token: 33	3756	WMIC.exe
Token: 34	3756	WMIC.exe
Token: 35	3756	WMIC.exe
Token: 36	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: 36	1284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe
624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1124	1848	Loader_Setup.exe	94
PID 1848 wrote to memory of 1124	1848	Loader_Setup.exe	94
PID 1124 wrote to memory of 624	1124	cmd.exe	110
PID 1124 wrote to memory of 624	1124	cmd.exe	110
PID 1848 wrote to memory of 784	1848	Loader_Setup.exe	111
PID 1848 wrote to memory of 784	1848	Loader_Setup.exe	111
PID 624 wrote to memory of 3724	624	msedge.exe	96
PID 624 wrote to memory of 3724	624	msedge.exe	96
PID 784 wrote to memory of 3756	784	backgroundTaskHost.exe	97
PID 784 wrote to memory of 3756	784	backgroundTaskHost.exe	97
PID 1848 wrote to memory of 2132	1848	Loader_Setup.exe	108
PID 1848 wrote to memory of 2132	1848	Loader_Setup.exe	108
PID 2132 wrote to memory of 1284	2132	cmd.exe	98
PID 2132 wrote to memory of 1284	2132	cmd.exe	98
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 4596	624	msedge.exe	107
PID 624 wrote to memory of 3948	624	msedge.exe	100
PID 624 wrote to memory of 3948	624	msedge.exe	100
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101
PID 624 wrote to memory of 3092	624	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Loader_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Loader_Setup.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://www.sordum.org/files/downloads.php?st-defender-control 2>nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.sordum.org/files/downloads.php?st-defender-control
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      PID:876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:1392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5404 /prefetch:8
      4⤵
      PID:3800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:2964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
      4⤵
      PID:3432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
      4⤵
      PID:5284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4752 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC CPU Get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x64.exe /setup /q /norestart 2>nul
  2⤵
  PID:5276
- - C:\Windows\VC_redist.x64.exe
    C:\Windows\VC_redist.x64.exe /setup /q /norestart
    3⤵
    - Executes dropped EXE
    PID:5404
  - - C:\Windows\Temp\{5FB796BB-0D67-464F-98C3-30B5D2600088}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{5FB796BB-0D67-464F-98C3-30B5D2600088}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Windows\VC_redist.x64.exe" -burn.filehandle.attached=660 -burn.filehandle.self=528 /setup /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:5648
    - - C:\Windows\Temp\{9993972F-EB4F-4BF8-93CE-3122EE019ECD}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{9993972F-EB4F-4BF8-93CE-3122EE019ECD}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C75A1BDA-404C-4183-830D-18DE7894D5B2} {281E5CBD-19B1-4780-906B-FAABD639E659} 5648
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5940
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{21AB4667-2D25-455A-AE68-94F769996651} {EECD78B8-A9ED-4988-A9E5-E552AD84AE25} 5940
        6⤵
        
        PID:5684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\VC_redist.x86.exe /setup /q /norestart 2>nul
  2⤵
  PID:5700
- - C:\Windows\system32\findstr.exe
    findstr /R "[0-9]\.[0-9]\.[0-9]"
    3⤵
    PID:5192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get version
    3⤵
    PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /unregister 2>nul
  2⤵
  PID:5688
- - C:\Windows\system32\w32tm.exe
    w32tm /unregister
    3⤵
    PID:5808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net start w32time 2>nul
  2⤵
  PID:5824
- - C:\Windows\system32\net.exe
    net start w32time
    3⤵
    PID:5680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
  2⤵
  PID:5864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop w32time 2>nul
  2⤵
  PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /register 2>nul
  2⤵
  PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c w32tm /resync 2>nul
  2⤵
  PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get version | findstr /R "[0-9]\.[0-9]\.[0-9]"
  2⤵
  PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb6c446f8,0x7fffb6c44708,0x7fffb6c44718
1⤵
PID:3724

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\Wbem\WMIC.exe
WMIC CPU Get VirtualizationFirmwareEnabled
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
1⤵
PID:3092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
1⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
1⤵
PID:4928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,13465994619602641432,4355350273183877542,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
1⤵
PID:4596

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6032

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5876

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{21AB4667-2D25-455A-AE68-94F769996651} {EECD78B8-A9ED-4988-A9E5-E552AD84AE25} 5940
1⤵
- Loads dropped DLL
PID:5784
- C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
  "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{8B9DAB76-DFFD-4904-94A6-C48F75FDE6A0} {C0F84F14-1372-4FF6-ACD1-2598137AAF34} 5784
  2⤵
  - Modifies registry class
  PID:5204

C:\Windows\VC_redist.x86.exe
C:\Windows\VC_redist.x86.exe /setup /q /norestart
1⤵
- Executes dropped EXE
PID:2236
- C:\Windows\Temp\{D39E2C2B-524A-46F0-A5A4-C86AC1D13512}\.cr\VC_redist.x86.exe
  "C:\Windows\Temp\{D39E2C2B-524A-46F0-A5A4-C86AC1D13512}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Windows\VC_redist.x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=604 /setup /q /norestart
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4800
- - C:\Windows\Temp\{4EA641FE-A4F2-4B0F-A56A-FE50DF8C8BCA}\.be\VC_redist.x86.exe
    "C:\Windows\Temp\{4EA641FE-A4F2-4B0F-A56A-FE50DF8C8BCA}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{2C06E660-B9ED-477D-8D93-6F142089EE9C} {DF4FB7C8-2EE6-40F0-AC73-54F81FF7F64A} 4800
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    PID:6132
  - - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
      "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9} -burn.filehandle.self=1040 -burn.embedded BurnPipe.{F27DF02F-96D1-4649-88FC-5FA1E4BCD223} {9D09803D-7714-480A-8423-5D625EF54B56} 6132
      4⤵
      PID:5696

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={2cfeba4a-21f8-4ea7-9927-c5a5c6f13cc9} -burn.filehandle.self=1040 -burn.embedded BurnPipe.{F27DF02F-96D1-4649-88FC-5FA1E4BCD223} {9D09803D-7714-480A-8423-5D625EF54B56} 6132
1⤵
PID:5688
- C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
  "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{1DD32316-6DB4-4118-B4A8-8845E3917C82} {19008CDC-1F04-42E7-BC1D-B981229DB207} 5688
  2⤵
  - Modifies registry class
  PID:5800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
PID:5276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
1⤵
PID:5504

C:\Windows\system32\w32tm.exe
w32tm /register
1⤵
- Sets DLL path for service in the registry
PID:5664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop w32time
1⤵
PID:5136

C:\Windows\system32\net.exe
net stop w32time
1⤵
PID:5740

C:\Windows\system32\w32tm.exe
w32tm /register
1⤵
- Sets DLL path for service in the registry
PID:5960

C:\Windows\system32\w32tm.exe
w32tm /resync
1⤵
PID:5228

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Loads dropped DLL
PID:5688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery