fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750

Analysis

max time kernel
261s
max time network
263s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.5MB
MD5

33614c059849aaeacaa68422b11a9795
SHA1

baf66bc7a279fcde9fa90708c153e06b89bb60d9
SHA256

25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e
SHA512

c211cfee30e6f3336a0d4aa8e44d91be4fb0399c2dc7d8a01b37d4264b44865c51037f5b6470f3aecd53cb551951132d80fbdba3b18fe0787cacd6166a66e5f6
SSDEEP

98304:cKYGKdACTgvV6qPvZpgvXM/N3qZBO0cY2YPGvhP0JGom5:cp86qPvZ6v6NH0l7PXm5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

31 708 powershell.exe

flow	pid	process
31	708	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exe

pid process

3888 MsiExec.exe
3888 MsiExec.exe
3888 MsiExec.exe
3888 MsiExec.exe
3888 MsiExec.exe

pid	process
3888	MsiExec.exe
3888	MsiExec.exe
3888	MsiExec.exe
3888	MsiExec.exe
3888	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI19A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AC0.tmp	msiexec.exe
File created	C:\Windows\Installer\e571725.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1947.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e571722.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18D8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B1B01242-A134-4172-8520-EE58BAB12470}	msiexec.exe
File created	C:\Windows\Installer\e571722.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Modifies registry class 33 IoCs

Processes:

msiexec.exeAnyDesk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207\MainFeature	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Language = "1046"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\PackageName = "AnyDesk.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\ProductName = "AnyDesk"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\PackageCode = "1BD298B5F2ED9B84692DEE45C27D3993"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Version = "16777216"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exe

pid process

1060 msiexec.exe
1060 msiexec.exe
708 powershell.exe
708 powershell.exe

pid	process
1060	msiexec.exe
1060	msiexec.exe
708	powershell.exe
708	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	1744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1744	msiexec.exe
Token: SeSecurityPrivilege	1060	msiexec.exe
Token: SeCreateTokenPrivilege	1744	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1744	msiexec.exe
Token: SeLockMemoryPrivilege	1744	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1744	msiexec.exe
Token: SeMachineAccountPrivilege	1744	msiexec.exe
Token: SeTcbPrivilege	1744	msiexec.exe
Token: SeSecurityPrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeLoadDriverPrivilege	1744	msiexec.exe
Token: SeSystemProfilePrivilege	1744	msiexec.exe
Token: SeSystemtimePrivilege	1744	msiexec.exe
Token: SeProfSingleProcessPrivilege	1744	msiexec.exe
Token: SeIncBasePriorityPrivilege	1744	msiexec.exe
Token: SeCreatePagefilePrivilege	1744	msiexec.exe
Token: SeCreatePermanentPrivilege	1744	msiexec.exe
Token: SeBackupPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeShutdownPrivilege	1744	msiexec.exe
Token: SeDebugPrivilege	1744	msiexec.exe
Token: SeAuditPrivilege	1744	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1744	msiexec.exe
Token: SeChangeNotifyPrivilege	1744	msiexec.exe
Token: SeRemoteShutdownPrivilege	1744	msiexec.exe
Token: SeUndockPrivilege	1744	msiexec.exe
Token: SeSyncAgentPrivilege	1744	msiexec.exe
Token: SeEnableDelegationPrivilege	1744	msiexec.exe
Token: SeManageVolumePrivilege	1744	msiexec.exe
Token: SeImpersonatePrivilege	1744	msiexec.exe
Token: SeCreateGlobalPrivilege	1744	msiexec.exe
Token: SeBackupPrivilege	312	vssvc.exe
Token: SeRestorePrivilege	312	vssvc.exe
Token: SeAuditPrivilege	312	vssvc.exe
Token: SeBackupPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe
Token: SeTakeOwnershipPrivilege	1060	msiexec.exe
Token: SeRestorePrivilege	1060	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1744 msiexec.exe
1744 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AnyDesk.exe

pid process

5044 AnyDesk.exe
5044 AnyDesk.exe

pid	process
1744	msiexec.exe
1744	msiexec.exe

pid	process
5044	AnyDesk.exe
5044	AnyDesk.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

AnyDesk.exemsiexec.exeMsiExec.exe

description	pid	process	target process
PID 5044 wrote to memory of 1744	5044	AnyDesk.exe	msiexec.exe
PID 5044 wrote to memory of 1744	5044	AnyDesk.exe	msiexec.exe
PID 5044 wrote to memory of 1744	5044	AnyDesk.exe	msiexec.exe
PID 1060 wrote to memory of 4552	1060	msiexec.exe	srtasks.exe
PID 1060 wrote to memory of 4552	1060	msiexec.exe	srtasks.exe
PID 1060 wrote to memory of 3888	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3888	1060	msiexec.exe	MsiExec.exe
PID 1060 wrote to memory of 3888	1060	msiexec.exe	MsiExec.exe
PID 3888 wrote to memory of 708	3888	MsiExec.exe	powershell.exe
PID 3888 wrote to memory of 708	3888	MsiExec.exe	powershell.exe
PID 3888 wrote to memory of 708	3888	MsiExec.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4552

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2789555EC224A639EDF768446A73E954
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1D3F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1D0D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1D1E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1D1F.txt" -propSep " :<->: " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e571724.rbs

Filesize
607KB

MD5
283129d5fd257f4ca815aac4fc64c8a7

SHA1
efb4cb827f946cbb70f6c3b0ece3073c886e5c2b

SHA256
92fad31ba2b9699dfaafbe13e7936a273b822ff473f80c218def511b6a92afc5

SHA512
0aba2c25ae701f60da502f87b8ee8bbd942694d046554fc887c05c79c0ef4eb2dafa65e6faa39f4b1a34bdc1de3da52c350115e8fe77590ce5897c3ec785d979

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi

Filesize
5.2MB

MD5
1b71048c460473fd82ec2de1c98798b0

SHA1
a139134145c4eb2fb460a319d1727540ee264927

SHA256
cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f

SHA512
d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi

Filesize
5.2MB

MD5
1b71048c460473fd82ec2de1c98798b0

SHA1
a139134145c4eb2fb460a319d1727540ee264927

SHA256
cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f

SHA512
d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dz01lel.f4z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss1D3F.ps1

Filesize
5KB

MD5
fc1bb6c87fd1f08b534e52546561c53c

SHA1
db402c5c1025cf8d3e79df7b868fd186243aa9d1

SHA256
a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

SHA512
5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr1D1E.ps1

Filesize
17KB

MD5
573c661545a080753d80b02e5116212c

SHA1
4905b0e15d7c6daa47ec99f8536306b8dcdca702

SHA256
9f636f81baf940aa6c51f47bbeb3de89c3a70fcc524bebd4333fcf2e7a690c25

SHA512
0d8c3979a02e0a11207cd5d9dddad6d704fe4aa2c979106e56019c3d2eddfbb93f650e59f1c8ed0336d022cbcb89ce82bdcf5c7ab1635ba096944aa5f743b10e

Download Submit
C:\Windows\Installer\MSI17FC.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI17FC.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI18D8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI18D8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI1947.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI1947.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI1947.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI19A5.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI19A5.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI1CA5.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
C:\Windows\Installer\MSI1CA5.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
2f442d152bb729cb3091f40c0c02d4fe

SHA1
1a057db69a9b81fe756627af1914a97e7805e9e2

SHA256
6c6ec8ede4717dd31d61cb2d31c7781dfe30f7645a30e3a9a78e474a88bba956

SHA512
c1ba5001364087705340bed1a16d812c9774954404de966b0c794fd8426f8712b454c9d078e527bc02d2e72a07b91c833e1d1fa241849d859092b29b87a94df9

Download Submit
\??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{be3aff2a-4bbd-485b-9ee9-a9c725ef5171}_OnDiskSnapshotProp

Filesize
5KB

MD5
ca0f795497b0780b6dda0158112f1521

SHA1
40f106e157322c6e0532996abdca06df70e3149d

SHA256
a39707fb7a04aa3af485441efdfdaee2cada277ec607a97bf112535dc56a2c9f

SHA512
febd9f5a3c5ee899b8b3544f37690ee0e5638aaa5e41fe1ceedf7d9d506dd3e139c1fc70263c684161cb0c0bcbc206e4ca4b04ff9690a1c1e1bbc5289cfd6d1a

Download Submit
memory/708-181-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/708-187-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/708-192-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/708-179-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/708-194-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/708-195-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/708-196-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/708-197-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/708-198-0x0000000006A40000-0x0000000006A62000-memory.dmp

Filesize
136KB

Download
memory/708-199-0x0000000008430000-0x00000000089D4000-memory.dmp

Filesize
5.6MB

Download
memory/708-180-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/708-178-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/708-177-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/708-176-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download