Analysis
-
max time kernel
87s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 13:10
Static task
static1
Behavioral task
behavioral1
Sample
install.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
install.msi
Resource
win10v2004-20240221-en
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3200 ICACLS.EXE 4328 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIF567.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\e58f2e7.msi msiexec.exe File created C:\Windows\Installer\SourceHash{0EE48DF4-66A0-4D55-A54B-0602B9F3BDE1} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e58f2e7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE -
Loads dropped DLL 1 IoCs
pid Process 4424 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 520 3276 WerFault.exe 108 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b4c1f0d3c6b3fc990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b4c1f0d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b4c1f0d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db4c1f0d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b4c1f0d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5000 msiexec.exe 5000 msiexec.exe 3292 msedge.exe 3292 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1128 msedge.exe 1128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 4548 msiexec.exe Token: SeIncreaseQuotaPrivilege 4548 msiexec.exe Token: SeSecurityPrivilege 5000 msiexec.exe Token: SeCreateTokenPrivilege 4548 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4548 msiexec.exe Token: SeLockMemoryPrivilege 4548 msiexec.exe Token: SeIncreaseQuotaPrivilege 4548 msiexec.exe Token: SeMachineAccountPrivilege 4548 msiexec.exe Token: SeTcbPrivilege 4548 msiexec.exe Token: SeSecurityPrivilege 4548 msiexec.exe Token: SeTakeOwnershipPrivilege 4548 msiexec.exe Token: SeLoadDriverPrivilege 4548 msiexec.exe Token: SeSystemProfilePrivilege 4548 msiexec.exe Token: SeSystemtimePrivilege 4548 msiexec.exe Token: SeProfSingleProcessPrivilege 4548 msiexec.exe Token: SeIncBasePriorityPrivilege 4548 msiexec.exe Token: SeCreatePagefilePrivilege 4548 msiexec.exe Token: SeCreatePermanentPrivilege 4548 msiexec.exe Token: SeBackupPrivilege 4548 msiexec.exe Token: SeRestorePrivilege 4548 msiexec.exe Token: SeShutdownPrivilege 4548 msiexec.exe Token: SeDebugPrivilege 4548 msiexec.exe Token: SeAuditPrivilege 4548 msiexec.exe Token: SeSystemEnvironmentPrivilege 4548 msiexec.exe Token: SeChangeNotifyPrivilege 4548 msiexec.exe Token: SeRemoteShutdownPrivilege 4548 msiexec.exe Token: SeUndockPrivilege 4548 msiexec.exe Token: SeSyncAgentPrivilege 4548 msiexec.exe Token: SeEnableDelegationPrivilege 4548 msiexec.exe Token: SeManageVolumePrivilege 4548 msiexec.exe Token: SeImpersonatePrivilege 4548 msiexec.exe Token: SeCreateGlobalPrivilege 4548 msiexec.exe Token: SeBackupPrivilege 4584 vssvc.exe Token: SeRestorePrivilege 4584 vssvc.exe Token: SeAuditPrivilege 4584 vssvc.exe Token: SeBackupPrivilege 5000 msiexec.exe Token: SeRestorePrivilege 5000 msiexec.exe Token: SeRestorePrivilege 5000 msiexec.exe Token: SeTakeOwnershipPrivilege 5000 msiexec.exe Token: SeRestorePrivilege 5000 msiexec.exe Token: SeTakeOwnershipPrivilege 5000 msiexec.exe Token: SeBackupPrivilege 4956 srtasks.exe Token: SeRestorePrivilege 4956 srtasks.exe Token: SeSecurityPrivilege 4956 srtasks.exe Token: SeTakeOwnershipPrivilege 4956 srtasks.exe Token: SeBackupPrivilege 4956 srtasks.exe Token: SeRestorePrivilege 4956 srtasks.exe Token: SeSecurityPrivilege 4956 srtasks.exe Token: SeTakeOwnershipPrivilege 4956 srtasks.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4548 msiexec.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4956 5000 msiexec.exe 97 PID 5000 wrote to memory of 4956 5000 msiexec.exe 97 PID 5000 wrote to memory of 4424 5000 msiexec.exe 99 PID 5000 wrote to memory of 4424 5000 msiexec.exe 99 PID 5000 wrote to memory of 4424 5000 msiexec.exe 99 PID 4424 wrote to memory of 4328 4424 MsiExec.exe 100 PID 4424 wrote to memory of 4328 4424 MsiExec.exe 100 PID 4424 wrote to memory of 4328 4424 MsiExec.exe 100 PID 4424 wrote to memory of 2692 4424 MsiExec.exe 102 PID 4424 wrote to memory of 2692 4424 MsiExec.exe 102 PID 4424 wrote to memory of 2692 4424 MsiExec.exe 102 PID 4424 wrote to memory of 3348 4424 MsiExec.exe 104 PID 4424 wrote to memory of 3348 4424 MsiExec.exe 104 PID 4424 wrote to memory of 3348 4424 MsiExec.exe 104 PID 3348 wrote to memory of 1128 3348 cmd.exe 106 PID 3348 wrote to memory of 1128 3348 cmd.exe 106 PID 1128 wrote to memory of 3704 1128 msedge.exe 107 PID 1128 wrote to memory of 3704 1128 msedge.exe 107 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 736 1128 msedge.exe 110 PID 1128 wrote to memory of 3292 1128 msedge.exe 109 PID 1128 wrote to memory of 3292 1128 msedge.exe 109 PID 1128 wrote to memory of 1860 1128 msedge.exe 111 PID 1128 wrote to memory of 1860 1128 msedge.exe 111 PID 1128 wrote to memory of 1860 1128 msedge.exe 111 PID 1128 wrote to memory of 1860 1128 msedge.exe 111 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4548
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DFE68F5CA2BA3B9051B9C32C13307A7A2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9d930f68-ecdf-4afa-ac5b-5dbf8a765032\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4328
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2692
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf4⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf8,0x130,0x7fff2e6b46f8,0x7fff2e6b4708,0x7fff2e6b47185⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:85⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:15⤵PID:3452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:15⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:15⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5276 /prefetch:65⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:15⤵PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:15⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:85⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:85⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:15⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12382897602460291106,16700194245527873456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:15⤵PID:4836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MW-9d930f68-ecdf-4afa-ac5b-5dbf8a765032\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-9d930f68-ecdf-4afa-ac5b-5dbf8a765032\files\install.exe" /VERYSILENT /VERYSILENT3⤵PID:3276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 5324⤵
- Program crash
PID:520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9d930f68-ecdf-4afa-ac5b-5dbf8a765032\files"3⤵PID:944
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9d930f68-ecdf-4afa-ac5b-5dbf8a765032\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:3200
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3276 -ip 32761⤵PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
Filesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
Filesize
6KB
MD526fe7cd747db80257f6d24d9959ce8db
SHA1d2f1594ebd03ea1531dfb29b65cb9805831a25ca
SHA256982d6cc26cc2bada11c00a35901b9aad97a3caba433850a64b3950ed34009879
SHA512c4a691cfb1ec299d72c7370e639e1c4088a6717362c654ad2139ce15c92ac7a9d94d9175697e7b182818d477ecb1ff1686418dfa955a3c7e8c34760c5d630c31
-
Filesize
6KB
MD5d4986f4d7c8ced0464ca8d38aaa13281
SHA173f404ff363261792851fad2d5f0fe29273eca68
SHA2561e3be7ee1f0e81e98842769a66b1294804b3b28fa2bed88dcf8305ad5c9795d5
SHA512bd9c7c7c948cfe333a3ea5e28a495e000b31f72160c0662ba4ddfa6ee74469f469ff28eef6a9c5e115211d6e3b1090e9c02f9e952f475579866123e74c0b6a19
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD568054269fc89e06f3f1082c731511d3f
SHA19fc17a7bb25169d6f980bb87930f8fa04d708a4d
SHA2568e1b45563a4cb4ff92a45b48fcd7118355203d29c00b77e44b8cfb2546302227
SHA512d2bb0d14987d031a6827780d61a37d798a75589192de5bfc6dd69333ff3c1b930a51c162b02055d5cd24ba05a845ca888f277be3e78d7fbf4b77566895b6f2a2
-
Filesize
11KB
MD5a39956790d26d99c30bcb3a66fb65884
SHA1be932e78e8a04cc0b8d8be80493794a91d698a42
SHA2565e2a7b7843a5c3c6757f65c0472ffb03c53f43c3230dc026dd8bbfaa55d53f2d
SHA51231d2395d7ea8e000ade8be7259cc19fc3a79cdc168b474dab34d26c6188c8340ce810a0f8349e278a9c5a5da42b2cff866deb494232808f4613ab21e10f7a38b
-
Filesize
3.1MB
MD5c5251b4a0300ac59b9c51b39b48960ef
SHA11a9f4710e07aff28c8961b8bb4d5a525ea385e42
SHA2564d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2
SHA512a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76
-
Filesize
10.1MB
MD59fb89be520125bdfb6a226ec5567e25d
SHA19e33e1233008c2e5cc3aaac82e06f0ec77ded612
SHA25698033ba5ac2af50809779d60521c4b34c9cbe59d3a8d40cbc9508408f415461c
SHA512fa7096dea5f4b2a81080dc5904f41cecbb3936f400c89c6d1eb53af42a84e277a279820b3f278fd51ab5a5420820773ebca3579aa6b14e3c716ba328e0f23149
-
Filesize
2.3MB
MD5c7ed186c5924b7c20592caed39a39176
SHA157bdbc155714286a754e4d6a7d74522530709926
SHA2569df720875fa87555679fc524bb3a00c79161a17dc95c0133815b7f37cb980fe0
SHA512adde81edb58e6290cfb3cbec69f875e87281f37e8837c70d6dbc80ad3bdced9b996958c23b24ca9b14ba68e2d3eb1c673bb226fcabf05829ee0a910751eda8dd
-
Filesize
1KB
MD5bd6139915cab79ee8b839567aac2f4ac
SHA14eff4b932dc686894785a3db03c780fb0cf5a111
SHA2567a53b5a79d806d88cbe4cca4b869533742a55f10056a4a7a1c4f3b233ddba028
SHA51252025c819e32110218970dab4ffd317ce48a1f195c899e65536ccd715127dfc0d9c9aee5df42211f0ac261c57fd2f8cf50ebcf1cfbb3fa06a7049442496560c3
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
958KB
MD53f0d42b39d55932af5651b08a60c40fd
SHA12657363dbabfdbf5c1cd372ddf9bc0f0a0ee9203
SHA256e97873ddb5835e72b1640f10c58ebef378cf94a52713080df94e255efded63df
SHA5123b3f118e9799cd19dff058944c33c62a90f484401dfb70b3019e11a59dfc6bd9f8691ce617b39f2b9eef232dacec0e8fb2e74b4e0f01e4daa2b4ab96791d03c0
-
\??\Volume{d3f0c1b4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2c63d791-4bae-4def-a2dd-7dabf796d978}_OnDiskSnapshotProp
Filesize6KB
MD52b2e933d5fe37ce0ccd2a94ac5b5530a
SHA17091b6808947266c29c60f980effd3f73cfea183
SHA25666637f70711d542b2b4619945852749d38290bc7d0c1e6b3b00abcfbccd365fe
SHA512f3ab71c1d55963ce2e3861faf8ea415b1dabf6f4e9f10704e2a48f902129dd76a39a663bb23d1eba6bbfd11d614267077c5e75567bf6123e67413cc08f37370b