Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi
Resource
win10v2004-20240226-en
General
-
Target
b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi
-
Size
20.7MB
-
MD5
8cad37c93cf7d11f1024b814f3da0727
-
SHA1
fb39f4d2a74e9b600cc812ce05a77361d3282369
-
SHA256
b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b
-
SHA512
bd80292dbd8a4da9cc6b414add992c8f791e74bb7edb74fae4a4ae46fe6f6f6e7593f6fd45b21b3b6eedddb1a26214323ebb498579854c7f7c75d7d72dec42d9
-
SSDEEP
393216:h1z9wvtrdCjOdUprFfa69uxhGkYlwo6qFUklbOebxUf3LCDsHDM5gxp:hx9wvtrMjOdgtaMuxhGXhDb1bafbzDMu
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 6 4788 msiexec.exe 16 4788 msiexec.exe 20 4788 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Caribou Store Agent\agent.exe msiexec.exe File created C:\Program Files\Caribou Store Agent\nssm.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\e576a43.msi msiexec.exe File opened for modification C:\Windows\Installer\e576a43.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6C18.tmp msiexec.exe File created C:\Windows\Installer\e576a45.msi msiexec.exe File created C:\Windows\Installer\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\icon.ico msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{198F6BAC-DB05-420F-B6B6-1F0CDAED636B} msiexec.exe File opened for modification C:\Windows\Installer\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\icon.ico msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4320 nssm.exe 2232 agent.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAB6F89150BDF0246B6BF1C0ADDE36B6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\PackageName = "b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\ProductName = "Caribou Coffee Agent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\Version = "17367049" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\ProductIcon = "C:\\Windows\\Installer\\{198F6BAC-DB05-420F-B6B6-1F0CDAED636B}\\icon.ico" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14B3E41DD6913854DA0EAEC7579618D1\CAB6F89150BDF0246B6BF1C0ADDE36B6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CAB6F89150BDF0246B6BF1C0ADDE36B6\Complete msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\PackageCode = "205A1A943CDC3A34F89AAA987C3B91FA" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CAB6F89150BDF0246B6BF1C0ADDE36B6\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14B3E41DD6913854DA0EAEC7579618D1 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2468 msedge.exe 2468 msedge.exe 4900 msedge.exe 4900 msedge.exe 5792 identity_helper.exe 5792 identity_helper.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe 5808 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4788 msiexec.exe Token: SeIncreaseQuotaPrivilege 4788 msiexec.exe Token: SeSecurityPrivilege 2376 msiexec.exe Token: SeCreateTokenPrivilege 4788 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4788 msiexec.exe Token: SeLockMemoryPrivilege 4788 msiexec.exe Token: SeIncreaseQuotaPrivilege 4788 msiexec.exe Token: SeMachineAccountPrivilege 4788 msiexec.exe Token: SeTcbPrivilege 4788 msiexec.exe Token: SeSecurityPrivilege 4788 msiexec.exe Token: SeTakeOwnershipPrivilege 4788 msiexec.exe Token: SeLoadDriverPrivilege 4788 msiexec.exe Token: SeSystemProfilePrivilege 4788 msiexec.exe Token: SeSystemtimePrivilege 4788 msiexec.exe Token: SeProfSingleProcessPrivilege 4788 msiexec.exe Token: SeIncBasePriorityPrivilege 4788 msiexec.exe Token: SeCreatePagefilePrivilege 4788 msiexec.exe Token: SeCreatePermanentPrivilege 4788 msiexec.exe Token: SeBackupPrivilege 4788 msiexec.exe Token: SeRestorePrivilege 4788 msiexec.exe Token: SeShutdownPrivilege 4788 msiexec.exe Token: SeDebugPrivilege 4788 msiexec.exe Token: SeAuditPrivilege 4788 msiexec.exe Token: SeSystemEnvironmentPrivilege 4788 msiexec.exe Token: SeChangeNotifyPrivilege 4788 msiexec.exe Token: SeRemoteShutdownPrivilege 4788 msiexec.exe Token: SeUndockPrivilege 4788 msiexec.exe Token: SeSyncAgentPrivilege 4788 msiexec.exe Token: SeEnableDelegationPrivilege 4788 msiexec.exe Token: SeManageVolumePrivilege 4788 msiexec.exe Token: SeImpersonatePrivilege 4788 msiexec.exe Token: SeCreateGlobalPrivilege 4788 msiexec.exe Token: SeBackupPrivilege 392 vssvc.exe Token: SeRestorePrivilege 392 vssvc.exe Token: SeAuditPrivilege 392 vssvc.exe Token: SeBackupPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe Token: SeTakeOwnershipPrivilege 2376 msiexec.exe Token: SeRestorePrivilege 2376 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 4788 msiexec.exe 4788 msiexec.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe 4900 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3272 2376 msiexec.exe 104 PID 2376 wrote to memory of 3272 2376 msiexec.exe 104 PID 2376 wrote to memory of 3344 2376 msiexec.exe 107 PID 2376 wrote to memory of 3344 2376 msiexec.exe 107 PID 3780 wrote to memory of 4900 3780 explorer.exe 111 PID 3780 wrote to memory of 4900 3780 explorer.exe 111 PID 4900 wrote to memory of 1620 4900 msedge.exe 112 PID 4900 wrote to memory of 1620 4900 msedge.exe 112 PID 4320 wrote to memory of 2232 4320 nssm.exe 110 PID 4320 wrote to memory of 2232 4320 nssm.exe 110 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 1476 4900 msedge.exe 113 PID 4900 wrote to memory of 2468 4900 msedge.exe 114 PID 4900 wrote to memory of 2468 4900 msedge.exe 114 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 PID 4900 wrote to memory of 3804 4900 msedge.exe 115 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b7278c3c38801c0873759df432bcdf89d3709a7e638a4a150c3f4af179c3372b.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4788
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3272
-
-
C:\Windows\explorer.exeexplorer.exe http://localhost:8090/config2⤵PID:3344
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Program Files\Caribou Store Agent\nssm.exe"C:\Program Files\Caribou Store Agent\nssm.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Program Files\Caribou Store Agent\agent.exe"C:\Program Files\Caribou Store Agent\agent.exe"2⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:8090/config2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb15df46f8,0x7ffb15df4708,0x7ffb15df47183⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:83⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:83⤵PID:5776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:13⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:13⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:13⤵PID:6136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:13⤵PID:5132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2990000275537884103,17027518709821649060,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3504 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5808
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD52270a75e6e9fbe116a90913ce729968b
SHA1c0bb35a00f01c9e01626a01beaef6b14a3437454
SHA2567d4727c8a71ec74de545a6f8a8f39730cceaabf6da9f8756759acdbb8053a493
SHA5125f6c0473da7f133698fbed907a6c940a15027702b6dab50a0411dd4b8411e5a98d931d76763fca82b107fc4ac33c78f95922fcc2e6e7d4703488ea2f1035f5f1
-
Filesize
2.6MB
MD5fa3af0f79f2e833be66e967d1628c137
SHA1d668e7113a3f6dfb103099327a05fe1ca6f95aea
SHA256aab48007434ae5bdbd0e33948cbc24f666553a6b5a4f404c30cbe4b65663883a
SHA5126d2fd4f24cbb5e4f421136c32efa9f8ae2138f9af5c3850b7cea8ac43d97604ff39ce66f4f1e6eaa9163d7c25e9b1b895b2291cf31d6156f81e9f29016ebc8e4
-
Filesize
1.4MB
MD59622a520c033e4e6d1856a0b45a4223a
SHA1f311c8d46a6cfd21f04994586e6a4caaba6f114f
SHA2562beb73b16c58db0bb9735bd98bc581873ba3a2455d2a0605de93732297bf77c2
SHA51230566bc665aa5d59462e116fa2d0583a8e73307a7a06011c9d403a4413b93c59e8cb5bed24f110d609f241048e772c632f843200ce119c88e325f0cec0445549
-
Filesize
323KB
MD5beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
Filesize
283B
MD5ca238047e3625815c9aeb7712919a087
SHA121677149f9dbaac6eeced7a4d8932a82e1570506
SHA256a7b249bd5b16b4864f07b1f1abb9cd0f70577337e1110be72bded30df2526607
SHA512a96bfc425ed8d8ce84c52d9ced0ebde000c9515c67d6c43470bbeaf604951da429c2fa8fb90aaeeaa8cc71203f1fd50c53aead4f673d925a8c6084345f05ae24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC
Filesize719B
MD528bc19a7cc607d718102b84fc9f09871
SHA139d1445b8267f6c64398dbdc3b36cb8bf61779ee
SHA2562182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d
SHA512dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50
-
Filesize
59KB
MD5d44c096c595184e731fba1319240d9d3
SHA143ea77ca4e0e026b0862dfb41518aa2cc2acc793
SHA256c302a39751c76e60361bd89230b38efe2f1af8c6da42fd9b1263a9c5b72ed722
SHA5127ec65bfe06babd24b8fa7e593544f3e1874c913e1ec60e596dce3fcd1d3f111ed803d7bf0629546e4cca869a609e9b4be4b9d505e5bffd846484f825a16e171d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC
Filesize446B
MD5750f3d2c3b70350de310a7aeb4ce01a8
SHA1640452f563ab10be87315bfd51910bcd9e401a55
SHA256e6808ef5834bfdee1766f9ba6fd4667cd8558e527bbd9d9d9aa506ab77146935
SHA51239ba55fa4e012610fe68b52fb82e976fcea58cea2f0d892c363d29636ca5825ee8cc915699b3032c11930803ca9c1ffe43a1cdde3e7e0bf67ec42d23374f6245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC
Filesize308B
MD559d290035b43d37b13f415e50113334a
SHA1c38ef73c5a43fdc6ab73f5688a0885538409fe59
SHA25686fad88904bdadc8ffb916fc883145e66dee6229d0eaadd600f7cb391c8010bb
SHA512be046cf7dfe37759e7d1cd5a63af97e85f550f6452154022312dd89c83cfaf12be156392ebbaf235941e5448ef2eeab21f4e4006619e0fbb1f5ca0d1a1e5e7c5
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5153df151cf0ea22df17d2e50302d0488
SHA17896e79e64d610b1ee35f0d2f700246ff1e60a04
SHA25663460f8ce78fbdd9f1a997d2ad0ed870becb861d95e989bbe4af4e7cc22ccd9d
SHA512796122c6b29fbe87f95387bd682d4f96f4dd109f57fce85621139f13b825d86ed8f0206e7acfca8e0f2782a7ff38eb79e51af07deb0f5d5ec7529886e517799f
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD582b61bbed08baddad92f598fb9a472d5
SHA1ffc95be685582dd414f7092d43c9c32420118a8f
SHA25610cfb0e5ecd93eb5bf9c5a1bb0ab2a2f21cc951bf896e107c569aa9558a630fe
SHA51245e1f168088f2fc903a6e66e3d12b273fb2c206c166f1f2e3b31699a2bdc5213c161546bf834c95dfbb3cb4a88b71eb5b53958997c41d5d8f824d83cde815cf9
-
Filesize
6KB
MD5d270f3671d886173defcbe759df82dcf
SHA11c54912a77322dbc448913b97159cd7b3fe65f98
SHA2568936873de30b3c14e0942402582d453cbf2dd9e6351e1cb2c9bf37724db324fe
SHA5125cbd8fce5b9d1221eb19fde27828bd8d6ca00ded99699b22f583dee67a572aba642fbeb4a020e48aba70aa780149e76acd54a2a14cfe0b85dc5fb080a4ccff1e
-
Filesize
6KB
MD5b72fa32ed94d261b129a8a8f539ff0cd
SHA18585070c343fb54bf7e71add391d57e8d4f09d35
SHA256e8f6b4d9fe629ff4bf9884f963024930d33615f76ee4197318944737ddaed162
SHA512326b9508bc854637eba8aef43091d0246990a3ee5810f693db4418dc7583728d7dbb14ef949756f65f20997c0f178827b593640c0258081cbadafbecf2793ee4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a0e069467eb8c60de9e328a58b0be29b
SHA1dc20812137a8a051baaa2524090e821895a61a9d
SHA256778b0773a6a8a7503a8586042d2d80a29cc8101d1069959106db3a662e5f1ece
SHA5121fb5df644f2814c0dc1da382c7d78889d7133cc03e862d65e7348a089135182c93a5648936d03fa48a53cd7c76e2472fbedee8ec514be3920c5ac9a2333ab677
-
Filesize
12.6MB
MD5fc03130287142f12ebcdccea7325adc9
SHA144606aa0c2c0087472f6f3796857ebb6ae851840
SHA256d767c8990cc471c09d36d52eca53c0a6e1de093a163aca4fb622d33c56d6b2e1
SHA512e7304c98cfd8848651d43cd2e7b8575f14a1533b7b07fce1de71822dc78b6590028dc44b88d26772389d954d451b2917d610a8eaab17a3475c26e44b8bc5cd23
-
Filesize
42KB
MD513c44f6fd8d6764715626ac8c8c7e6c0
SHA1482992759adfa66856b5eca419042d062f9e7941
SHA2562c1f5e16a6983ad7d60d79ae41f01241ed7869551cde62bd2bca7c7ec79457f5
SHA51296501bd74d9bb86416a71e6482c685d69a16325a55d928d20a56526ff909784d10599028eec7354e8b1646fe61f9b35da0740bdb52d82afc07e9bcac35dafc3a
-
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{826799e3-aec8-46a5-af39-a9cbf391af50}_OnDiskSnapshotProp
Filesize6KB
MD5ad5b8a51fbdf6ce67773dd8e714c7710
SHA1b7e94f3bdbf69662d70ff1439b62ab5d2851cd27
SHA25698bf3da381a946b26f40718a82611ebc8822a864a9a477b9a9e6f08993139b27
SHA5122fd36152ca93bf1eed7091e5b6987ac4314665fc0d4f84d15bfe02627177bff3ff7d6dc3f3b4730d60171d1babb93b68b46a7eb96a87a9ae6b234d1950dedb44