lampion | cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8

Analysis

max time kernel
74s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8.msi
Size

951KB
MD5

9951c45e09990f06bc3e3758062c9ade
SHA1

27ef845a9562b989c38dd6d2eda42d31d7c2a354
SHA256

cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8
SHA512

b97185d2eeec22a2a66cd56f3ca6ee1a4e97c9e1d1ddea24c71ca4d9f7ef4f337c7a1197d08814c4a70870266230891f0798e8c924623291409edfb51b81539d

Score

10^/10

lampion banker trojan

Malware Config

Signatures

Lampion
Lampion is a banking trojan, targeting Portuguese speaking countries.
trojan banker lampion
Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

46 4680 WScript.exe
48 4680 WScript.exe
Executes dropped EXE 1 IoCs

Processes:

MSI155A.tmp

pid process

4644 MSI155A.tmp

flow	pid	process
46	4680	WScript.exe
48	4680	WScript.exe

pid	process
4644	MSI155A.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 1 IoCs

Processes:

wscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oxtrznoswbp.lnk wscript.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

4436 MsiExec.exe
4436 MsiExec.exe
4436 MsiExec.exe
4436 MsiExec.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oxtrznoswbp.lnk	wscript.exe

pid	process
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe
4436	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs	msiexec.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exesvchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF8B.tmp	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\Installer\1ce05f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75B.tmp	msiexec.exe
File created	C:\Windows\Installer\1ce05f4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B72F1701-546C-4C92-9C01-119295C2C8CE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI155A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1096.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\1ce05f7.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI123C.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe

Modifies data under HKEY_USERS 32 IoCs

Processes:

svchost.exeLogonUI.exemsiexec.exesvchost.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "37"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1e	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\PackageName = "cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1071F27BC64529C4C9101129592C8CEC\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B84C90D980F24A54E8D3E347B241B8EC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\ProductName = "Firefox_2020-3624"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1071F27BC64529C4C9101129592C8CEC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\PackageCode = "6EA34665EE15EB243BD550B62CD73EDD"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B84C90D980F24A54E8D3E347B241B8EC\1071F27BC64529C4C9101129592C8CEC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1071F27BC64529C4C9101129592C8CEC\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeMSI155A.tmp

pid	process
2388	msiexec.exe
2388	msiexec.exe
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp
4644	MSI155A.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesvchost.exesrtasks.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1720	msiexec.exe
Token: SeSecurityPrivilege	2388	msiexec.exe
Token: SeCreateTokenPrivilege	1720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1720	msiexec.exe
Token: SeLockMemoryPrivilege	1720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1720	msiexec.exe
Token: SeMachineAccountPrivilege	1720	msiexec.exe
Token: SeTcbPrivilege	1720	msiexec.exe
Token: SeSecurityPrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeLoadDriverPrivilege	1720	msiexec.exe
Token: SeSystemProfilePrivilege	1720	msiexec.exe
Token: SeSystemtimePrivilege	1720	msiexec.exe
Token: SeProfSingleProcessPrivilege	1720	msiexec.exe
Token: SeIncBasePriorityPrivilege	1720	msiexec.exe
Token: SeCreatePagefilePrivilege	1720	msiexec.exe
Token: SeCreatePermanentPrivilege	1720	msiexec.exe
Token: SeBackupPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeShutdownPrivilege	1720	msiexec.exe
Token: SeDebugPrivilege	1720	msiexec.exe
Token: SeAuditPrivilege	1720	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1720	msiexec.exe
Token: SeChangeNotifyPrivilege	1720	msiexec.exe
Token: SeRemoteShutdownPrivilege	1720	msiexec.exe
Token: SeUndockPrivilege	1720	msiexec.exe
Token: SeSyncAgentPrivilege	1720	msiexec.exe
Token: SeEnableDelegationPrivilege	1720	msiexec.exe
Token: SeManageVolumePrivilege	1720	msiexec.exe
Token: SeImpersonatePrivilege	1720	msiexec.exe
Token: SeCreateGlobalPrivilege	1720	msiexec.exe
Token: SeBackupPrivilege	2412	vssvc.exe
Token: SeRestorePrivilege	2412	vssvc.exe
Token: SeAuditPrivilege	2412	vssvc.exe
Token: SeBackupPrivilege	2388	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeShutdownPrivilege	536	svchost.exe
Token: SeCreatePagefilePrivilege	536	svchost.exe
Token: SeShutdownPrivilege	536	svchost.exe
Token: SeCreatePagefilePrivilege	536	svchost.exe
Token: SeShutdownPrivilege	536	svchost.exe
Token: SeCreatePagefilePrivilege	536	svchost.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeBackupPrivilege	4372	srtasks.exe
Token: SeRestorePrivilege	4372	srtasks.exe
Token: SeSecurityPrivilege	4372	srtasks.exe
Token: SeTakeOwnershipPrivilege	4372	srtasks.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe
Token: SeSecurityPrivilege	4604	TiWorker.exe
Token: SeRestorePrivilege	4604	TiWorker.exe
Token: SeBackupPrivilege	4604	TiWorker.exe
Token: SeRestorePrivilege	2388	msiexec.exe
Token: SeTakeOwnershipPrivilege	2388	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1720 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4920 LogonUI.exe

pid	process
1720	msiexec.exe

pid	process
4920	LogonUI.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

msiexec.exeWScript.exewscript.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 4372	2388	msiexec.exe	srtasks.exe
PID 2388 wrote to memory of 4372	2388	msiexec.exe	srtasks.exe
PID 2388 wrote to memory of 4436	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 4436	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 4436	2388	msiexec.exe	MsiExec.exe
PID 2388 wrote to memory of 4644	2388	msiexec.exe	MSI155A.tmp
PID 2388 wrote to memory of 4644	2388	msiexec.exe	MSI155A.tmp
PID 2388 wrote to memory of 4644	2388	msiexec.exe	MSI155A.tmp
PID 4680 wrote to memory of 4768	4680	WScript.exe	wscript.exe
PID 4680 wrote to memory of 4768	4680	WScript.exe	wscript.exe
PID 4768 wrote to memory of 4828	4768	wscript.exe	cmd.exe
PID 4768 wrote to memory of 4828	4768	wscript.exe	cmd.exe
PID 4828 wrote to memory of 4888	4828	cmd.exe	shutdown.exe
PID 4828 wrote to memory of 4888	4828	cmd.exe	shutdown.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0CB29511D2C194AA7CC446ED39E78E81
  2⤵
  - Loads dropped DLL
  PID:4436
- C:\Windows\Installer\MSI155A.tmp
  "C:\Windows\Installer\MSI155A.tmp" "C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4156

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\System32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Roaming\oxtrznoswbp.vbs
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c shutdown /r /t 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /t 0 /f
      4⤵
      PID:4888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Firefox_2020-3624\Firefox_2020-3624\413824335077635404_5.vbs

MD5
eaa110d16a2f936ad5eb065eeeeb4d63

SHA1
f709ea58e0f65df965d77fc8707ad0cecd57e720

SHA256
0e5838c7b80a24bc9ee2149c91bc60c0eb543477ca963b373c1597f0db435350

SHA512
9c724006a70f5fdbee7ba3d0e93c169f0b65854dfa87fd545ff403b79cb80208f971b31c7ed65943cd1ce64f7785cd74abe97f6fee62ef887f736893a0245584

Download Submit
C:\Users\Admin\AppData\Roaming\25884663522242\yfgdkqymzcbrgisan53842306017875.exe

MD5
31b3fa3be13c3eca988b6647cf274003

SHA1
713779818be4a9956a02f8e16231750a9e0c3eb8

SHA256
881aa5538ac02efb941f6cbef4e784f5e4a4a0c70611cc6b7e7e461f21c65f97

SHA512
ba1fddaaa64e0bdc2418d615b2a34683167fc336d12109e29574c3cec51a93d16908bf155b96d0d8c4537b185caa7ee29c3eb6a84074ef366cd161b0fe8eb1bf

Download Submit
C:\Users\Admin\AppData\Roaming\oxtrznoswbp.vbs

MD5
ee119a8d8fb152cf9e6c4abf84a72fbb

SHA1
785ce7b0abb621aef388bd67f0e2ed35368eb423

SHA256
4f1eeac4829f6faf85d63073231564591443c50ad0b0a327a429841e0f64dfab

SHA512
e3b747a6edef792310eca38fd79297fec9b6e0aed567e7d83179a29cd8d878fb96c1392ab2f9150156ae552f614f77fa5621c602bf1d607a63b8ae86477bd3c9

Download Submit
C:\Windows\Installer\MSI1096.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI1096.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI155A.tmp

MD5
867b627b008d149f15e8df90d2648d41

SHA1
543fc2763f98378c5777f0dc1f11f54ee3a71733

SHA256
51d309734f25d009714a0e4d428ffee3f42bfaa3eaf21da68369405f3a0a8233

SHA512
9c3beb4c8c5319f1f584c49fa66b1ee704b6ecb56184af0024a4e363979466c2933a99fa0662532b0ac8ca22536b1717de8214cd828094bbc38f9d8bb3d2da44

Download Submit
C:\Windows\Installer\MSI75B.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSI75B.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSIE51.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSIE51.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSIF8B.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Windows\Installer\MSIF8B.tmp

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\System Volume Information\SPP\metadata-2

MD5
12074a6152fdc3d5d88a59da275ed09f

SHA1
0f0b5cad804da2b5729677feb2671cc656544ce7

SHA256
50756860b2da5344fb166d37e272e4dd687668f6f27426364d640a56032be056

SHA512
2b7e5c401ec7f4f67c6f1d2d1645b0281f84f5e4208d9567d1137d681e449e97c82cd49ea6192e1b199933736fc889a560e27aef51646b9609a9ea8a68b60265

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\DataStore.edb

MD5
8f93e3d3e26a783814969d6b7c8b7f19

SHA1
bfba595e92041a6228363557051e89a5b7c9ce52

SHA256
bf30b30ee18292bb244450eae0683b08a292dd2bec3fe04daaba5297a1e682fc

SHA512
f84e41597737111de173783ef748ed273486d1a8c06aa21ecf3eea7726c104e13543312d33ddf12509924878d28828ec4bc68b5a4b5eb034c237f89b3a61b3d7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\DataStore.jfm

MD5
57ea1f0ab02e77365030a078928c3d4e

SHA1
0787258f8b28faeef2bfdfe71d0e26a6a153fd58

SHA256
7af1fc293a3b0c0141f0460a540a7f4b7a18c8cf5f5f90a9edc674fc4d0b7cf0

SHA512
de12c32640fdb21ffb49b5a74cb4da23de98373ba98d292996c96517f5ec0031f2719ab0109771c090c16548e8371e78c341201fd72e0c68235833ffd449d003

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\softwaredistribution\DataStore\Logs\edb.log

MD5
7601cfcb38376bbf5bc97051192b318f

SHA1
ce6d7fd12294bc50f26d6085aa7cbfccbcaa4dbb

SHA256
c0ed2e8fe959c8f97bff84017244e93752531d9e602d2e3dd5b905117f345159

SHA512
21054b034292c4edab5ef908caa2a4ce4608225735773d2f2f0cd9629c67356bbf20bfb482d8b1aba96888ec4a82ddf46fdfbe241beaafe2bdaad0c9c234d402

Download Submit
\??\Volume{1385018a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d4f72be0-ab34-4bb8-ac0d-745694cd2a7d}_OnDiskSnapshotProp

MD5
280d69d5ac94f4fbd94dd8485079f206

SHA1
77e43fe4a7c5851ff902de3f1fd7ff202571551d

SHA256
53674298bd36d26611f1d5b9dd7fa82f3fb1b5025a6251494ac322aa1a0dbb13

SHA512
2fc6ba2c26f6f5a967e65327511d6a2ea706ebe0d8b85d0325d4271d634da75e575ea67bcdbdc848006f99d2d4fbfdacf7d1ddaf34eccc2da02145f8bd698a21

Download Submit
memory/536-162-0x00000184B5690000-0x00000184B5694000-memory.dmp

Filesize
16KB

Download
memory/536-133-0x00000184B2930000-0x00000184B2940000-memory.dmp

Filesize
64KB

Download
memory/536-135-0x00000184B5670000-0x00000184B5674000-memory.dmp

Filesize
16KB

Download
memory/536-134-0x00000184B2990000-0x00000184B29A0000-memory.dmp

Filesize
64KB

Download
memory/536-165-0x00000184B5590000-0x00000184B5591000-memory.dmp

Filesize
4KB

Download
memory/536-163-0x00000184B55D0000-0x00000184B55D1000-memory.dmp

Filesize
4KB

Download
memory/5084-157-0x00000276274B0000-0x00000276274B1000-memory.dmp

Filesize
4KB

Download
memory/5084-159-0x0000027624FE0000-0x0000027624FE1000-memory.dmp

Filesize
4KB

Download
memory/5084-160-0x0000027624FE0000-0x0000027624FE4000-memory.dmp

Filesize
16KB

Download
memory/5084-161-0x0000027624EE0000-0x0000027624EE1000-memory.dmp

Filesize
4KB

Download
memory/5084-158-0x0000027624FF0000-0x0000027624FF4000-memory.dmp

Filesize
16KB

Download
memory/5084-156-0x00000276274C0000-0x00000276274C4000-memory.dmp

Filesize
16KB

Download
memory/5084-155-0x0000027624FC0000-0x0000027624FC4000-memory.dmp

Filesize
16KB

Download