Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 15:13
Static task
static1
Behavioral task
behavioral1
Sample
install.msi
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
install.msi
Resource
win10v2004-20231215-en
General
-
Target
install.msi
-
Size
4.5MB
-
MD5
b63bd820a14d8acfbda0eedd7a884268
-
SHA1
207cbda7e194c02e076984b3ee8edde9475ae426
-
SHA256
bc7cacf8352f528b20702cd768f57927f7b4c5b697f61942a8574eee9a7de050
-
SHA512
c632b2a211f8a3e121c927e83a280db4a871d57764557d4b30e3a343ee018fac91a1d5eb9d53d5b61277fe8930c52850981de6fad104522c3e8afc33932999be
-
SSDEEP
49152:I9ReWK9YwPhH9D+05jvLHd3P9zmH5HhvRaleHBG5q7vG6f4dCItiGS5oW8XlT45N:KmD+ypP0qlehb+Wai0V4BP
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 3244 msiexec.exe 6 3244 msiexec.exe 45 3192 MsiExec.exe 47 3192 MsiExec.exe 97 1996 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 71 api.ipify.org 72 api.ipify.org -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation MSIF613.tmp -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_8DDC04EFB297854B49541C723EC3D642 powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_8DDC04EFB297854B49541C723EC3D642 powershell.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\AI_A8A.ps1 aipackagechainer.exe File opened for modification C:\Windows\Installer\MSIDDC0.tmp msiexec.exe File created C:\Windows\Installer\e57d9ba.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF566.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF613.tmp msiexec.exe File created C:\Windows\SystemTemp\AI_A8A.ps1 aipackagechainer.exe File opened for modification C:\Windows\Installer\MSIE547.tmp msiexec.exe File created C:\Windows\Installer\e57d9b6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDA72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDDA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE0A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e57d9b6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDF77.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1CB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE72D.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIDC96.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE323.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{BA2F59D5-EAC4-4AF1-92B1-38FC41794BD9} msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 3724 aipackagechainer.exe 1200 MSIF613.tmp -
Loads dropped DLL 9 IoCs
pid Process 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe 3192 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004a3253d230439a9b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004a3253d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004a3253d2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4a3253d2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004a3253d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ aipackagechainer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" aipackagechainer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5D95F2AB4CAE1FA4291B83CF1497B49D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\16EF8B390B1CF7F47B1CF3A018AFFFA0\5D95F2AB4CAE1FA4291B83CF1497B49D msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5D95F2AB4CAE1FA4291B83CF1497B49D\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\ProductName = "Global Installs" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\SourceList\PackageName = "install.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\PackageCode = "43F352E0A17FF884E86998E210BD8CCA" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\16EF8B390B1CF7F47B1CF3A018AFFFA0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5D95F2AB4CAE1FA4291B83CF1497B49D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2204 msiexec.exe 2204 msiexec.exe 1784 msedge.exe 1784 msedge.exe 5040 msedge.exe 5040 msedge.exe 1996 powershell.exe 1996 powershell.exe 1996 powershell.exe 3916 powershell.exe 3916 powershell.exe 3916 powershell.exe 1232 powershell.exe 1232 powershell.exe 1232 powershell.exe 4432 powershell.exe 4432 powershell.exe 5384 identity_helper.exe 5384 identity_helper.exe 4432 powershell.exe 5396 powershell.exe 5396 powershell.exe 5396 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3244 msiexec.exe Token: SeIncreaseQuotaPrivilege 3244 msiexec.exe Token: SeSecurityPrivilege 2204 msiexec.exe Token: SeCreateTokenPrivilege 3244 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3244 msiexec.exe Token: SeLockMemoryPrivilege 3244 msiexec.exe Token: SeIncreaseQuotaPrivilege 3244 msiexec.exe Token: SeMachineAccountPrivilege 3244 msiexec.exe Token: SeTcbPrivilege 3244 msiexec.exe Token: SeSecurityPrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeLoadDriverPrivilege 3244 msiexec.exe Token: SeSystemProfilePrivilege 3244 msiexec.exe Token: SeSystemtimePrivilege 3244 msiexec.exe Token: SeProfSingleProcessPrivilege 3244 msiexec.exe Token: SeIncBasePriorityPrivilege 3244 msiexec.exe Token: SeCreatePagefilePrivilege 3244 msiexec.exe Token: SeCreatePermanentPrivilege 3244 msiexec.exe Token: SeBackupPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeShutdownPrivilege 3244 msiexec.exe Token: SeDebugPrivilege 3244 msiexec.exe Token: SeAuditPrivilege 3244 msiexec.exe Token: SeSystemEnvironmentPrivilege 3244 msiexec.exe Token: SeChangeNotifyPrivilege 3244 msiexec.exe Token: SeRemoteShutdownPrivilege 3244 msiexec.exe Token: SeUndockPrivilege 3244 msiexec.exe Token: SeSyncAgentPrivilege 3244 msiexec.exe Token: SeEnableDelegationPrivilege 3244 msiexec.exe Token: SeManageVolumePrivilege 3244 msiexec.exe Token: SeImpersonatePrivilege 3244 msiexec.exe Token: SeCreateGlobalPrivilege 3244 msiexec.exe Token: SeBackupPrivilege 2268 vssvc.exe Token: SeRestorePrivilege 2268 vssvc.exe Token: SeAuditPrivilege 2268 vssvc.exe Token: SeBackupPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 3244 msiexec.exe 3724 aipackagechainer.exe 2860 msiexec.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 3244 msiexec.exe 2860 msiexec.exe 3724 aipackagechainer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe 1784 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1144 2204 msiexec.exe 96 PID 2204 wrote to memory of 1144 2204 msiexec.exe 96 PID 2204 wrote to memory of 3192 2204 msiexec.exe 98 PID 2204 wrote to memory of 3192 2204 msiexec.exe 98 PID 2204 wrote to memory of 3192 2204 msiexec.exe 98 PID 2204 wrote to memory of 3724 2204 msiexec.exe 99 PID 2204 wrote to memory of 3724 2204 msiexec.exe 99 PID 2204 wrote to memory of 3724 2204 msiexec.exe 99 PID 2204 wrote to memory of 1200 2204 msiexec.exe 100 PID 2204 wrote to memory of 1200 2204 msiexec.exe 100 PID 2204 wrote to memory of 1200 2204 msiexec.exe 100 PID 1200 wrote to memory of 1784 1200 MSIF613.tmp 101 PID 1200 wrote to memory of 1784 1200 MSIF613.tmp 101 PID 1784 wrote to memory of 3228 1784 msedge.exe 102 PID 1784 wrote to memory of 3228 1784 msedge.exe 102 PID 3724 wrote to memory of 2860 3724 aipackagechainer.exe 103 PID 3724 wrote to memory of 2860 3724 aipackagechainer.exe 103 PID 3724 wrote to memory of 2860 3724 aipackagechainer.exe 103 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 3496 1784 msedge.exe 104 PID 1784 wrote to memory of 5040 1784 msedge.exe 105 PID 1784 wrote to memory of 5040 1784 msedge.exe 105 PID 1784 wrote to memory of 5072 1784 msedge.exe 106 PID 1784 wrote to memory of 5072 1784 msedge.exe 106 PID 1784 wrote to memory of 5072 1784 msedge.exe 106 PID 1784 wrote to memory of 5072 1784 msedge.exe 106 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3244
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1144
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 28AE34A7D22E8C8934B36AE60B2C82542⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3192
-
-
C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\aipackagechainer.exe"2⤵
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\Required Application\GlobalInstaller.msi"3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2860
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_A8A.ps1 -paths 'C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs','C:\Users\Admin\AppData\Roaming\GlobalCo' -retry_count 10"3⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
-
-
C:\Windows\Installer\MSIF613.tmp"C:\Windows\Installer\MSIF613.tmp" https://typagesee.io/ty2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://typagesee.io/ty3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9da146f8,0x7ffa9da14708,0x7ffa9da147184⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:84⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:14⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:14⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:14⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:14⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:14⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:84⤵PID:5352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:14⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5168112647060608517,15421689851033195564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:14⤵PID:5608
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b4fda93f2adbe8638adf37d7195ccc67
SHA11ecba732a21ea3cd0c75d17d658d37952bad006d
SHA25681a1a6891c78fe361f52c910f1165698db1d77e24944aa5ad3fb7d0425a218b2
SHA512f02476fd9cd4fdfbce29f8697f7a67a9fdbbb8d5915b3b51d5e11d14d6dc19fd83452d83f9a2e6cdfc17d031616f83ab961d8aa25d7cc3f5ea2d1bebf262d4b6
-
Filesize
398B
MD57392336a6ec7cc869ba2703fa1e7265a
SHA1fb291f2bfee55a8f47e3b7dc23d1b4996fc43543
SHA256b121f398774f7e3db81716e2c589e65272abb762279c158f8c84a1a3c3a280b8
SHA512fb73a9e4149f460369a77a76f7364267080cb2e06eacc5389392e63d190b102a4a1676c9e7fa05ce4949a55cb1debe4d2a50a5d286568ae6e061dadf251cf5f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5a044ece54fe8f9b5fd71dbe1be02ed70
SHA160a726a2bbb13296d6258c7949fff5e861ab5ecb
SHA256e9246604f91ddd4a6a221c8f0b8355ccb1b67e4b8ade2d59034bba005be55967
SHA51238a760a0dc33873d06164f01a72bc7479d25ca01a43eb89a3fa528427651508709ed323a22443f5959fefc026208cb5f3d4e113943ae071173e64d32aa2065b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D2FED7667885036CFA51478CED551D86
Filesize1KB
MD5969587855b4a09b09388c8bf58e684c6
SHA1efccfc06ef01086c5033c864f253906fc0eaec36
SHA25652ed9025126bbb7401711c5e954ed184c443f592511c9253d1708f92aeb304e5
SHA5127b6c64898a67a9aeccce9d2ad476581fd727ad22d6459ab401f85d6f4667170b361e9cbcc3ea5afa5ffb35c5a612b8b2edc8edf1b72d2d5eb17d503424ad5121
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5ded61e000c9c152757aa4903e2b55b33
SHA14342c38a110a8e3f1e3c55ec83d732602a6d191c
SHA2566edf9d14748a23dfeca8fe04d133eb5788951c0b40df307b013e938acf6ffb65
SHA512a64e11d6238a10598c516dcb5deda0918fabbe496547c6b523113e0ff52b653274e973d0acfd1636329f1f06c20aecb9f421825a73c4715a098f4d79cac88a2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5a0c2f4a8ddb452e84d5a0444574734d8
SHA1b60b5a8dfa7e6c2d41f91c74495009f714e766ae
SHA256805e39b363026727f1ff0d325605c31d908869d880a97c99fb5e6b1773cd5c83
SHA5120e4d1826649764ede7b76b8ef93dba7aef9f72c75f79b2ddac3393f790cf45cd7c5572d4ca0ade396453cfe44f29e45ee47f116e32bfa370277f407dfc6260fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D2FED7667885036CFA51478CED551D86
Filesize540B
MD5427f8f28ff5a15550ac0cbefdb4c33ed
SHA138e0e443b0bafc5da8d5f409aaa741542749e12c
SHA2566199ad4f4e9fc1106cdcab7bed18d098ccc9dbfb4b29099ce9e297968492c549
SHA5127071a30907b42bc0d51fe107deab5ce6f3cccf2a14884a45d7c3778d057e9202cfa821d29247f4703a0aa4662a5f965f2a4a87d5ae0deff13fd184fc0b67b727
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD5e7d7bc12be26011e5e6d87046a7048de
SHA1585fd248ef185c7f3190abd0755f5b9de63e0f19
SHA2568483f760a50261484abb95d54d18eab2f0e43fff64173867c3545b4c7492d221
SHA512e8d28059f93e94b79cce46774c5e58a748f1bdc2eee428f62b1371a992f197b527db0ad6a398a79fd55eefd6d9046ce08346b5471c81747a3f8f73df5dd531b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD52ff89656d16398e45fee18f078196183
SHA1b74942158530f9c44e0ebe8b89755ca1b974063c
SHA256713c57abecf2b92e211c95d74aa103cfe39fe19a8ef7890ad71d0ad5dda81797
SHA5124e0487b72864bf6029be08a03698eac114481bffe43ed2988b091b9c8d84b859b702e77e622d0db9eecec2670e9ec41cd5806cf0aeec6ebe952d24e9327f7d50
-
Filesize
152B
MD584381d71cf667d9a138ea03b3283aea5
SHA133dfc8a32806beaaafaec25850b217c856ce6c7b
SHA25632dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424
SHA512469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3
-
Filesize
194KB
MD5ac84f1282f8542dee07f8a1af421f2a7
SHA1261885284826281a99ff982428a765be30de9029
SHA256193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0
SHA5129f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5cfc8fc5970245045d8ed89d930f787db
SHA1d39f2aa20d57c69d1839c7a204c27b0d122d5d58
SHA25664b11771b92ccfcdc27372311987be432d1b2eb7c959f3bc8524dc86fd4b5b40
SHA51209abc5eb4d10f488bfe890d452f401b960d654f68fb410d4c7bd2b1e047de513cec3b6abc3c8fdde9aa5981198eb302bcad0d1f1cf91ff2733422924c64f0060
-
Filesize
1KB
MD5b95e110bf1bb0aa18d1648f01c016668
SHA15e6527a4d9eb121a8eaa1403d07246b26a95a156
SHA2564cd47f13c174eed5b41772555f1c64f5e3f6edf4254e956030864712302f1d35
SHA512c112b18267c5a76fe7812b218b6b80a4bbde4eb567b8e7025aecb67c876c57e2c08d9ccaf8c6eeecec6ce650f42dea2dcd09a366a1b326013a3c20ff2b998c34
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD582b8fcbf2a02b53ea72b94c92b9199e3
SHA1f46a8020b7e3ff76adff014930c10927a6a96860
SHA2562b6775e47df0b59138cdf78c98acbb4e66eb43502777938f784bb3413fbc16ae
SHA5127f793a4b51388df7b14425c50bdcd9bec51c3d63a2478db47cdf4d71fa92832678a22cb09d4e1d20e1ee1ead0f5a4cacd535765a68cd3ce023a436d09db1c128
-
Filesize
5KB
MD574685cc2164589282aee9eded1282e65
SHA16675367b7d76f252cb2a22f382da43673c42e00b
SHA256b84247f8baa0768e5e11719df7cc17eeee07119c16bad17ed83e6c5f74ae89a3
SHA51292e330fbe988eaf739d733bb88b8f722976de8b49dffe7d31349c5e960cd98abd06d037e3bdbec849754fc1c6ddbbcb41ef95895106d32222ad972de583892a1
-
Filesize
24KB
MD535f77ec6332f541cd8469e0d77af0959
SHA1abaec73284cee460025c6fcbe3b4d9b6c00f628c
SHA256f0be4c5c99b216083bd9ee878f355e1aa508f94feb14aeebcfba4648d85563a7
SHA512e0497dbe48503ebbf6a3c9d188b9637f80bccf9611a9e663d9e4493912d398c6b2a9eab3f506e5b524b3dabbca7bb5a88f882a117b03a3b39f43f291b59870c8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54165582242c64dfee2c3ed0d5a665204
SHA1e9bbb788b622f12bdabd023408370992b2fb7237
SHA256a920751615c30bc46b22fd5d4dbef0d261dc87a5d0ca9e93db538f9afe9bd384
SHA512875222cdd4a404bedb434e053e7cf63eaf08326a06bb7beec66f5b51143a516ec9c3873037bf7f9b417aa43807399fc5668ea5cd5b263023c78bf64620e9b079
-
Filesize
53KB
MD56003f7b0a2f53d8a46b5c37a443cac4e
SHA13c8f153c7982d71887f84f2b1a647560b14ede24
SHA2560ad9f8a509084e8e77bd79cc1937a4755d64a813f0e0f51f494aa028fbd63624
SHA512d3627c40c05271e863046c8923ac2d5445e5f840a99714ac20d03235b8a12b0455b70f6056f0b2f95a6adc3920a2e70a4bd329cb3364242bc112e70a664cece3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\Required Application\GlobalInstaller.msi
Filesize6.9MB
MD5eef59e4039662a174e6f265d77266141
SHA178a8e14ff5b364401c2be47273f31f9be4450578
SHA256ede0ccb8d5257b4e6ba62e2282dfaf04f38f36e1f33f53de58581266d70ea516
SHA512c4a0a7433ab9b8868348795331ba38d28700d07df89178f44f582677d98d55958cb6f53fb774215e43e64473ee973ef14707388dff03451aeac7642f0b2b2e4c
-
Filesize
893KB
MD5abd76ca201d9da05f75ee8efd6102262
SHA1e8746e7fa1c011c1225877b0efa5f2e80941b6b4
SHA256c3f6f44167c3888b98c7a9621caa81dc867fb99ccc91f8fc40163214444b86d5
SHA512733f049a19f0d47b058c3d2b68ae834cb01fc399227712133aa2e01f7928aab09c60f0dcf19463101ad097b7a214b9a66088fc38849edddb77755116328d04f4
-
Filesize
1KB
MD59e55e39b27c28455547d3da477a5c90c
SHA163f3c61a8c60e3d2e135402c666031511335072d
SHA256d3497af972a0467a7ec866fe3d1e0cfd461adc8e46caec7fdd91258e7849b689
SHA51273e6af779afaa4534a3d9de1056ba0860d9b059fcb0003316986f30816de718720d6b22f85c7587ac56abaffe6cc2fc39e021ac1483af0c59f394ebd3e58397d
-
Filesize
22KB
MD53e8a3a649d86c2e3950e01d5d29964e1
SHA117e06bf8ea31ecd2080b82c0c63a64ec75335e10
SHA256551030656f5935f68edb8bf484a3bd3615abcc5db9fb380ffc7d130589308986
SHA51292b0e8c4ddd34d264c8632165532ac67f35d47c21bcebbfd94b2a55c09a8db0bbaa59d8c4ae26f0eddac2ea3d33891dd083dc7da8c967ba63e190c434758501e
-
Filesize
738KB
MD536cd2870d577ff917ba93c9f50f86374
SHA1e51baf257f5a3c3cd7b68690e36945fa3284e710
SHA2568d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8
SHA512426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda
-
Filesize
1.1MB
MD57e4ef4bc701a5f46a1fee1a9fdc403f1
SHA1ab00fc0985d7cae8ccfdae1cd4e687192f079d47
SHA25634fe948e2b005a424f4e8aff9d9ef847d5623b99196fe5f5e9bff4983770d95a
SHA5127f8013d024142377aad49fc2c5c30376a4b9dd6c732dbbe3d88d2377965ca9e544d7065c7ee5aa1bd9d29b51f19255335c7ac3f85b5079b1cad710dc74bb8748
-
Filesize
870KB
MD565b853552e16654c53ab4d16920a9182
SHA19f8182ef1b58d0d52f4faf1688d4f4e9dd8af5c5
SHA25680c5e769470bb98c5b1ec3be0a9a51f0821c67e9adc7e3e254bbc41183ceb76f
SHA512b56c00e78ca901738a4a067709c772cfbdf10d3a049af4e7eb6bd7a0cb0629472d7798dabb0eb82958ae90cd71acc79e5cbc3d26b0f42d3cc7cc8ec2236aa54a
-
Filesize
576KB
MD5bca598caafb17503d1e1b1c74f97dbd4
SHA137ee091b0f0e8df7ee4bdd133495115feed9fbd3
SHA25645a4441c761b546a0a67b57cbf8e7e1fe3191e50e2a984be04598c56b8a7fef7
SHA512c8b1db878e15f74d147cfaeab12c812276b8b14b38c360d2a9bd2fc9f50e85b852466ac1ed0115cb6e1cbc7eb499f807396424619d87054085aa1f98f44856b7
-
Filesize
524KB
MD5ed5112a3f3a6ea1f0afa961ac0cd15df
SHA1af0aa49d469402db226b11178958151e6a44a994
SHA256b86045380871c19b084f651d0a391e66101e4d586b19831318f2dbc4caa9a4ab
SHA51282291cc4418abdb6d5a4d6ba1e84bbe12ed6144347747ff0731f9a37ccb332755712d5b64e80efebf2e07a9a2372c4aae2138e372e83c63edff941203dff305e
-
Filesize
406KB
MD50dfa51216250ef1cf96878c6a2151404
SHA18f4a62c1722ba08deca4e6fed6ef91f9f7a02673
SHA256387f2ce4a7d2f6cc82c9058c2a579518b9ec622264b8a72e125bde6797918b2e
SHA5126e0d4f6237d593ec756216b17832eb2a21df7f9dce12d4dde689416934eac900939fc58eb3e1f181ba55e3e5a9de152ddc7bb3418d25097133a801c85141a026
-
Filesize
15.5MB
MD5ef63d83363d3a6b5e5a08f00f0d208ec
SHA1cbef7779290d6445dff9bf671330c0d252da5bae
SHA256c7cbb14945659be1c25a3e76acc346a2dbeac88ad59a0bfb14efa0c57199c128
SHA51292bd9e18dd8c9bb46c98b03516dc09d0e25548a2aac231982eac9cd47bec577a00500c7041e93686264f1ef150f8185cf84e512a20a77db6b67febbdc49bfe2b
-
\??\Volume{d253324a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{38d56834-d27c-43e4-9d7c-6d1aad9050ef}_OnDiskSnapshotProp
Filesize6KB
MD5dd1ebd8d98b762ad61c99f159250739b
SHA1dd4d6941a1c7509295276ff669807d8aba77d519
SHA256675e2013ba013cb932979867b9183443ac279d4145b4df70e01ddfb7126c85f9
SHA512f1294247b082f9b666d8cdc5cb343ca7453ac46f4dcce46c31c858d1a580cedc0e8843693e199c68fb0c5a61f414c67b9da577b0729deaf08d69a2fc1be63058