discordrat | hxxps://webtinq[.]nl/getorbitalxploit/index[.]html

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SystemSettings.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemSettings.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "9"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "4278190080"	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "9"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = "MicrosoftWindows.Client.CBS_cw5n1h2txyewy"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "0"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "1"	ApplicationFrameHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = "\\\\?\\Volume{280CC82F-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\Input_{74a0829e-1162-42f7-811e-2f5abf1e6e7f}\\ConstraintIndex.cab"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApiGroup"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy = "4294967295"	ApplicationFrameHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = a22fd0fb5d5cdb01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	SystemSettings.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoftwindows.client.cbs_cw5n1h2txyewy\\AC\\INetHistory\\BackgroundTransferApi"	DllHost.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PersistedTitleBarData\windows.immersivecontrolpanel_cw5n1h2txy	ApplicationFrameHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = ":BackgroundTransferApi:"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "INetHistory\\BackgroundTransferApi"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi\Cac = "1"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = "1"	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000c6d4c3fb5d5cdb01c6d4c3fb5d5cdb01c6d4c3fb5d5cdb01000000000000000001000000000000000000000000000000280514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800bc003100000000000000000010004d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e31683274787965777900840009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000380060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a006e00310000000000000000001000436f6e73747261696e74496e64657800500009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000043006f006e00730074007200610069006e00740049006e0064006500780000001e00c600310000000000000000001000496e7075745f7b37346130383239652d313136322d343266372d383131652d3266356162663165366537667d00008a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000049006e007000750074005f007b00370034006100300038003200390065002d0031003100360032002d0034003200660037002d0038003100310065002d003200660035006100620066003100650036006500370066007d0000003c000901320000000000215a24782000436f6e73747261696e74496e6465782e63616200580009000400efbe215a2478215a24782e000000000000000000000000000000000000000000000000003a7d000143006f006e00730074007200610069006e00740049006e006400650078002e00630061006200000022008f0000002700efbe8100000031535053b79daeff8d1cff43818c84403aa3732d6500000064000000001f0000002a0000004d006900630072006f0073006f0066007400570069006e0064006f00770073002e0043006c00690065006e0074002e004300420053005f006300770035006e003100680032007400780079006500770079000000000000000000000022000000e10000001c000000010000001c0000003400000000000000e00000001800000003000000eb1d340d1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f667457696e646f77732e436c69656e742e4342535f6377356e3168327478796577795c4c6f63616c53746174655c436f6e73747261696e74496e6465785c496e7075745f7b37346130383239652d313136322d343266372d383131652d3266356162663165366537667d5c436f6e73747261696e74496e6465782e636162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000076716f6b70716b7100000000000000002613ec81be65ea4a8d0c78006277c37b8553b8c1a784ef11afaeeaff094264fa2613ec81be65ea4a8d0c78006277c37b8553b8c1a784ef11afaeeaff094264fad2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0032003400310030003800320036003400360034002d0032003300350033003300370032003700360036002d0032003300360034003900360036003900300035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002fc80c28000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi	DllHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGrou = ":BackgroundTransferApiGroup:"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\PersistedStorageItemTable\System\8fbe8623-1c42-4217-b1af-2ae8286 = "8324"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m	Explorer.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Orbital.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4620	NOTEPAD.EXE
2148	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1432	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3368	msedge.exe
3368	msedge.exe
1892	identity_helper.exe
1892	identity_helper.exe
1104	msedge.exe
1104	msedge.exe
1456	msedge.exe
1456	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1748	msedge.exe
1016	Fixer.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
1016	Fixer.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe
4552	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3316	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	Fixer.exe
Token: SeDebugPrivilege	1016	Fixer.exe
Token: SeDebugPrivilege	4552	dllhost.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeAuditPrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeAuditPrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE
3316	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3580	OrbitalXMain.exe
3580	OrbitalXMain.exe
3580	OrbitalXMain.exe
3316	Explorer.EXE
5924	SystemSettings.exe
6296	OpenWith.exe
6260	OpenWith.exe
6644	OpenWith.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3884	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 716	3368	msedge.exe	77
PID 3368 wrote to memory of 716	3368	msedge.exe	77
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3572	3368	msedge.exe	78
PID 3368 wrote to memory of 3068	3368	msedge.exe	79
PID 3368 wrote to memory of 3068	3368	msedge.exe	79
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80
PID 3368 wrote to memory of 3036	3368	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:468
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3d7b1e4b-7363-48b4-98ef-3d72debfe3f8}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:988

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://webtinq.nl/getorbitalxploit/index.html
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffddaba3cb8,0x7ffddaba3cc8,0x7ffddaba3cd8
    3⤵
    PID:716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:3572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2644
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
    3⤵
    PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:2164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
    3⤵
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,13377863643515159039,9010947618978733223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1220 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1748
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Orbital.zip\Orbital\open me password.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2148
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Orbital.zip\Orbital\instructions.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4620
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalXMain.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalXMain.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3580
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe"
  2⤵
  PID:952
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Fixer.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Fixer.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- - C:\Windows\SYSTEM32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77Fixer.exe" /tr "'C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Fixer.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1432
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe"
  2⤵
  PID:664
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe"
  2⤵
  PID:6852
- C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe
  "C:\Users\Admin\Downloads\Orbital\Orbital\OrbitalMain\Orbitamain.exe"
  2⤵
  PID:6960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1080

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1324

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2504

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:4956
- C:\Windows\system32\werfault.exe
  werfault.exe /h /shared Global\67660ae6e7744ef2b1ef630fad0fc417 /t 1216 /p 3580
  2⤵
  PID:4036

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4872

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Modifies registry class
PID:5276

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:5396

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:7564

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:7628

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7644

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:6008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery