a3997581117092d5ccb18a26056b17c6686c65d8b6da6bd7cf85f8930d7b3553

Analysis

max time kernel
131s
max time network
110s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/03/2023, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Size

16.2MB
MD5

76c1dacebfb27e9c6078fe678fb65f92
SHA1

5e565b031de74f17b35b1e5648c7a56a58de5d16
SHA256

91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183
SHA512

4b31cf832e83a9518ff63b6c38368e610770803c5d7103bb2f8784628839297bda9b2ccd33b29e48efd7e9247673e840eec699b753393a6c6293970afd260564
SSDEEP

393216:yRq1T/lOuJx1FHBb8Di6W3FPhG9G7M90w1:yRAlOurL18W6W3FPH7fw1

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
1928	MsiExec.exe
1928	MsiExec.exe
1928	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\Q:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\T:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\X:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\I:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\O:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\P:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\V:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\W:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\Y:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\H:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\Z:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\J:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\R:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\U:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
File opened (read-only)	\??\N:	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeAssignPrimaryTokenPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeLockMemoryPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeIncreaseQuotaPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeMachineAccountPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeTcbPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSecurityPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeTakeOwnershipPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeLoadDriverPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemProfilePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemtimePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeProfSingleProcessPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeIncBasePriorityPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreatePagefilePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreatePermanentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeBackupPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeRestorePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeShutdownPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeDebugPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeAuditPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemEnvironmentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeChangeNotifyPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeRemoteShutdownPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeUndockPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSyncAgentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeEnableDelegationPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeManageVolumePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeImpersonatePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreateGlobalPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeCreateTokenPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeAssignPrimaryTokenPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeLockMemoryPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeIncreaseQuotaPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeMachineAccountPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeTcbPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSecurityPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeTakeOwnershipPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeLoadDriverPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemProfilePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemtimePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeProfSingleProcessPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeIncBasePriorityPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreatePagefilePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreatePermanentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeBackupPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeRestorePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeShutdownPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeDebugPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeAuditPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSystemEnvironmentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeChangeNotifyPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeRemoteShutdownPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeUndockPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeSyncAgentPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeEnableDelegationPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeManageVolumePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeImpersonatePrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
Token: SeCreateGlobalPrivilege	1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1992	91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29
PID 1876 wrote to memory of 1928	1876	msiexec.exe	29

C:\Users\Admin\AppData\Local\Temp\91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe
"C:\Users\Admin\AppData\Local\Temp\91b7aea9c34e3e18301ae36000ad89f46952b58754bd76be4519f509d1420183.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 03C08547F1DB18E97D91A0561C27A7C1 C
  2⤵
  - Loads dropped DLL
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE207D.tmp

Filesize
830KB

MD5
318c1b3ba46b0c8138cd4be3d66be0de

SHA1
7d829ab0c74f2b8ccc731821e8c268bd4a6b2cd8

SHA256
db6e5ccd6f59ae3033d719cc79b7be53408363a1d8b5dd55d78d7041a944d9df

SHA512
a4a473602690c0af6fb14c0e3425ff407b7d2e08ba5c3aa204304198e7a85dd15f618dfcd3bb9bdcfeba20a2b255bdea0926ea3eaeb9545380cd00097236116a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE207D.tmp

Filesize
830KB

MD5
56438e33a740d76bdaa99a34623910ea

SHA1
40745f8bcb85abb77ca3dc1b6d3ec9e4d5428d3d

SHA256
733098d367a42f04c2499475f31753b789c64c20368737633c9aad540620bede

SHA512
733973e1a9ff7b473d70fce47a51f25c69b0ad1a798f127df89ab135780042c25c30545bd3e750b5f061fab3dca691334466217760eeae540ff33fd0cd1eedaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3C42.tmp

Filesize
57KB

MD5
b3a3b86ab6e8e3f3cf782dd7c624fa10

SHA1
dfd86e147552ce2ad2289039edeab4a0ae09f96b

SHA256
60970d9e44051dbcc8fd863f8e82a2423ac7a65305ffde4c2c1d61d5e9c8bca9

SHA512
b6843667ab531ffe57cc13e55fab32606708210e24590a23f7efda16253d7a87f2a91f34de05c6a15a860fd1d9ec54f1392b231e34b0c62a7564f48b2ab89eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3EF1.tmp

Filesize
263KB

MD5
cd6bac60f4891fc56b61949cfac5186d

SHA1
4eb57e46160c1263c47c8630506451dba1dca191

SHA256
919a3c53883132bff760c954bdc48b930ddecb17fbdb5d4b71b193c5fe6a9b06

SHA512
f88096acda528b75de0ad2ff0a8445a4ea47ffd9c0b3f9eb5d7e1f0257ffbd5ea9dc5a75547e9eb1a6d951b5e625c750c0218f5fce47e67eba3cee7a45ee59fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F21.tmp

Filesize
57KB

MD5
b3a3b86ab6e8e3f3cf782dd7c624fa10

SHA1
dfd86e147552ce2ad2289039edeab4a0ae09f96b

SHA256
60970d9e44051dbcc8fd863f8e82a2423ac7a65305ffde4c2c1d61d5e9c8bca9

SHA512
b6843667ab531ffe57cc13e55fab32606708210e24590a23f7efda16253d7a87f2a91f34de05c6a15a860fd1d9ec54f1392b231e34b0c62a7564f48b2ab89eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3F21.tmp

Filesize
57KB

MD5
b3a3b86ab6e8e3f3cf782dd7c624fa10

SHA1
dfd86e147552ce2ad2289039edeab4a0ae09f96b

SHA256
60970d9e44051dbcc8fd863f8e82a2423ac7a65305ffde4c2c1d61d5e9c8bca9

SHA512
b6843667ab531ffe57cc13e55fab32606708210e24590a23f7efda16253d7a87f2a91f34de05c6a15a860fd1d9ec54f1392b231e34b0c62a7564f48b2ab89eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar351D.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3C42.tmp

Filesize
57KB

MD5
b3a3b86ab6e8e3f3cf782dd7c624fa10

SHA1
dfd86e147552ce2ad2289039edeab4a0ae09f96b

SHA256
60970d9e44051dbcc8fd863f8e82a2423ac7a65305ffde4c2c1d61d5e9c8bca9

SHA512
b6843667ab531ffe57cc13e55fab32606708210e24590a23f7efda16253d7a87f2a91f34de05c6a15a860fd1d9ec54f1392b231e34b0c62a7564f48b2ab89eaa

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3EF1.tmp

Filesize
263KB

MD5
cd6bac60f4891fc56b61949cfac5186d

SHA1
4eb57e46160c1263c47c8630506451dba1dca191

SHA256
919a3c53883132bff760c954bdc48b930ddecb17fbdb5d4b71b193c5fe6a9b06

SHA512
f88096acda528b75de0ad2ff0a8445a4ea47ffd9c0b3f9eb5d7e1f0257ffbd5ea9dc5a75547e9eb1a6d951b5e625c750c0218f5fce47e67eba3cee7a45ee59fd

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3F21.tmp

Filesize
57KB

MD5
b3a3b86ab6e8e3f3cf782dd7c624fa10

SHA1
dfd86e147552ce2ad2289039edeab4a0ae09f96b

SHA256
60970d9e44051dbcc8fd863f8e82a2423ac7a65305ffde4c2c1d61d5e9c8bca9

SHA512
b6843667ab531ffe57cc13e55fab32606708210e24590a23f7efda16253d7a87f2a91f34de05c6a15a860fd1d9ec54f1392b231e34b0c62a7564f48b2ab89eaa

Download Submit
\Users\Admin\AppData\Roaming\beyerdynamic\steno-s 4\install\1033.dll

Filesize
95KB

MD5
d97ab48736271e0123566a09ec16b0de

SHA1
7cb2a92400bd3499640eb27079ea64bafa5cc9ec

SHA256
8521baa5e14fcf64ea158cf5b0fe3ccb3cf448cb4eee7c993641be54447c030e

SHA512
da83f0523d79b8343dd0c96bb79a578a17ad5ab38ae5eb9d955dc9ed18ea28b6cf6d08a8f531693bf2c212c36ec8b52d1d52aac6da9080dc186c935fd2736180

Download Submit
memory/1992-57-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1992-173-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download