a8ff885a9d97309785c7ad0c1adb5fbac0887f88294e29b106143e29409b5f2a

Analysis

max time kernel
71s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 20:47

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ReksFN_S13_Installer.exe
Size

49.8MB
MD5

f91c368df806768b95e87f303baf3118
SHA1

f8abff860a8269ab534aee69736c3d6683c77364
SHA256

a8ff885a9d97309785c7ad0c1adb5fbac0887f88294e29b106143e29409b5f2a
SHA512

fd56e97a480362b1363caa344d98b826fec4cbac470c5ed98d5a88586e5adb4b55ae40131dbc37e9cc800b3932b021696f5a6ac2cc496c055796c7c6a43999f4
SSDEEP

1572864:jmsej1oVeC/UYRaI9IEa8rPK6VmSPft03:NejRCR7aiKwrPF03

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Executes dropped EXE 4 IoCs

pid	Process
4344	ReksFN_S13_Installer.tmp
4844	VC_redist.x64.exe
1364	VC_redist.x64.exe
2344	VC_redist.x64.exe

Loads dropped DLL 2 IoCs

pid	Process
1364	VC_redist.x64.exe
3892	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d92971ab-f030-43c8-8545-c66c818d0e05} = "\"C:\\ProgramData\\Package Cache\\{d92971ab-f030-43c8-8545-c66c818d0e05}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ReksFN S13\flutter_acrylic_plugin.dll	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\is-S64V2.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-QNO0U.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-3JGVN.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-PKBGK.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-6IRLJ.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-NEU4D.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\tutorial_hybrid\is-OR6NR.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\tutorial_hybrid\is-IAKG4.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-GNL7M.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\tutorial_hybrid\is-H9UTF.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\is-F79SJ.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-R1D5G.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-1QDNG.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-HVP5Q.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-GL370.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-21U7B.tmp	ReksFN_S13_Installer.tmp
File opened for modification	C:\Program Files (x86)\ReksFN S13\dart_discord_rpc_plugin.dll	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-46A6B.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-2NGL5.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\unins000.dat	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\is-6OL2F.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\is-UH1M8.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-D734S.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-JAB6T.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\tutorial_hybrid\is-89OQQ.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-FJ7FA.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-D9754.tmp	ReksFN_S13_Installer.tmp
File opened for modification	C:\Program Files (x86)\ReksFN S13\screen_retriever_plugin.dll	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\is-UIVO7.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-8F745.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-8QJP9.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-H96NV.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-Q4U65.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-5ESSV.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-BOI16.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-N4MI5.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-C6R0L.tmp	ReksFN_S13_Installer.tmp
File opened for modification	C:\Program Files (x86)\ReksFN S13\reksfn_s13.exe	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\is-O5C4F.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\is-VN1QO.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\packages\window_manager\images\is-70FBG.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\is-JFHEH.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-JUFPL.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-K2P42.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-4VQTP.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-CRD18.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-PUFAG.tmp	ReksFN_S13_Installer.tmp
File opened for modification	C:\Program Files (x86)\ReksFN S13\discord-rpc.dll	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-T94N8.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\packages\fluent_ui\fonts\is-A8IPN.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-CJKAB.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-7MBBC.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-T2TL3.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\is-M7KOS.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-RJRP8.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-3DAPT.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-TL5EH.tmp	ReksFN_S13_Installer.tmp
File opened for modification	C:\Program Files (x86)\ReksFN S13\window_to_front_plugin.dll	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\is-R21BF.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-6C7QS.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-PS3IH.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\cosmetics\is-S1OA8.tmp	ReksFN_S13_Installer.tmp
File created	C:\Program Files (x86)\ReksFN S13\data\flutter_assets\assets\images\tutorial_hybrid\is-FJM3J.tmp	ReksFN_S13_Installer.tmp

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4612.tmp	msiexec.exe
File created	C:\Windows\Installer\e573f5c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5219.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e573f4b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI421A.tmp	msiexec.exe
File created	C:\Windows\Installer\e573f5b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5651.tmp	msiexec.exe
File created	C:\Windows\Installer\e573f6f.msi	msiexec.exe
File created	C:\Windows\Installer\e573f4b.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e573f5c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0AE39060-F209-4D05-ABC7-54B8F9CFA32E}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7DA37AE3-D8AE-49B1-9BDC-23CA0AB9FF22}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008ccb747e6bc781e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008ccb747e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809008ccb747e000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008ccb747e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\PackageCode = "37C10DC7E1CFDF3449836C2066BBD732"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31938"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\PackageCode = "05F1C4F1435294740B67DDCEB43E78EB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EA73AD7EA8D1B94B9CD32ACA09BFF22\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d92971ab-f030-43c8-8545-c66c818d0e05}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0AE39060-F209-4D05-ABC7-54B8F9CFA32E}v14.34.31938\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.34.31938"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{7DA37AE3-D8AE-49B1-9BDC-23CA0AB9FF22}v14.34.31938\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{0AE39060-F209-4D05-ABC7-54B8F9CFA32E}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\Version = "237141186"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31938"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EA73AD7EA8D1B94B9CD32ACA09BFF22	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{7DA37AE3-D8AE-49B1-9BDC-23CA0AB9FF22}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06093EA0902F50D4BA7C458B9FFC3AE2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06093EA0902F50D4BA7C458B9FFC3AE2\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d92971ab-f030-43c8-8545-c66c818d0e05}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31938"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{7DA37AE3-D8AE-49B1-9BDC-23CA0AB9FF22}v14.34.31938\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0AE39060-F209-4D05-ABC7-54B8F9CFA32E}v14.34.31938\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d92971ab-f030-43c8-8545-c66c818d0e05}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31938"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\06093EA0902F50D4BA7C458B9FFC3AE2\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31938"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\06093EA0902F50D4BA7C458B9FFC3AE2\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\3EA73AD7EA8D1B94B9CD32ACA09BFF22	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{d92971ab-f030-43c8-8545-c66c818d0e05}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3EA73AD7EA8D1B94B9CD32ACA09BFF22\VC_Runtime_Additional	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3EA73AD7EA8D1B94B9CD32ACA09BFF22\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4344	ReksFN_S13_Installer.tmp
4344	ReksFN_S13_Installer.tmp
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe
3240	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	32	vssvc.exe
Token: SeRestorePrivilege	32	vssvc.exe
Token: SeAuditPrivilege	32	vssvc.exe
Token: SeShutdownPrivilege	2344	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2344	VC_redist.x64.exe
Token: SeSecurityPrivilege	3240	msiexec.exe
Token: SeCreateTokenPrivilege	2344	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	2344	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	2344	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2344	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	2344	VC_redist.x64.exe
Token: SeTcbPrivilege	2344	VC_redist.x64.exe
Token: SeSecurityPrivilege	2344	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	2344	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	2344	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	2344	VC_redist.x64.exe
Token: SeSystemtimePrivilege	2344	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	2344	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	2344	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	2344	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	2344	VC_redist.x64.exe
Token: SeBackupPrivilege	2344	VC_redist.x64.exe
Token: SeRestorePrivilege	2344	VC_redist.x64.exe
Token: SeShutdownPrivilege	2344	VC_redist.x64.exe
Token: SeDebugPrivilege	2344	VC_redist.x64.exe
Token: SeAuditPrivilege	2344	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	2344	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	2344	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	2344	VC_redist.x64.exe
Token: SeUndockPrivilege	2344	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	2344	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	2344	VC_redist.x64.exe
Token: SeManageVolumePrivilege	2344	VC_redist.x64.exe
Token: SeImpersonatePrivilege	2344	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	2344	VC_redist.x64.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe
Token: SeTakeOwnershipPrivilege	3240	msiexec.exe
Token: SeRestorePrivilege	3240	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4344	ReksFN_S13_Installer.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	LogonUI.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4344	1036	ReksFN_S13_Installer.exe	85
PID 1036 wrote to memory of 4344	1036	ReksFN_S13_Installer.exe	85
PID 1036 wrote to memory of 4344	1036	ReksFN_S13_Installer.exe	85
PID 4344 wrote to memory of 4844	4344	ReksFN_S13_Installer.tmp	87
PID 4344 wrote to memory of 4844	4344	ReksFN_S13_Installer.tmp	87
PID 4344 wrote to memory of 4844	4344	ReksFN_S13_Installer.tmp	87
PID 4844 wrote to memory of 1364	4844	VC_redist.x64.exe	88
PID 4844 wrote to memory of 1364	4844	VC_redist.x64.exe	88
PID 4844 wrote to memory of 1364	4844	VC_redist.x64.exe	88
PID 1364 wrote to memory of 2344	1364	VC_redist.x64.exe	90
PID 1364 wrote to memory of 2344	1364	VC_redist.x64.exe	90
PID 1364 wrote to memory of 2344	1364	VC_redist.x64.exe	90
PID 2344 wrote to memory of 1784	2344	VC_redist.x64.exe	106
PID 2344 wrote to memory of 1784	2344	VC_redist.x64.exe	106
PID 2344 wrote to memory of 1784	2344	VC_redist.x64.exe	106
PID 1784 wrote to memory of 3892	1784	VC_redist.x64.exe	107
PID 1784 wrote to memory of 3892	1784	VC_redist.x64.exe	107
PID 1784 wrote to memory of 3892	1784	VC_redist.x64.exe	107
PID 3892 wrote to memory of 1684	3892	VC_redist.x64.exe	108
PID 3892 wrote to memory of 1684	3892	VC_redist.x64.exe	108
PID 3892 wrote to memory of 1684	3892	VC_redist.x64.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ReksFN_S13_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ReksFN_S13_Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\is-PIN05.tmp\ReksFN_S13_Installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PIN05.tmp\ReksFN_S13_Installer.tmp" /SL5="$E0028,51251775,908288,C:\Users\Admin\AppData\Local\Temp\ReksFN_S13_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe" /q /norestart /q:a /c:"VCREDI~3.EXE /q:a /c:""msiexec /i vcredist.msi /qn"" "
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\Temp\{0DF6AF4C-C690-42F3-8811-937EE7F8F9BB}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{0DF6AF4C-C690-42F3-8811-937EE7F8F9BB}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=548 /q /norestart /q:a /c:"VCREDI~3.EXE /q:a /c:""msiexec /i vcredist.msi /qn"" "
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{8DF37D3E-7562-4BD1-84E6-8927FDB1B0DD} {D8B03225-4C1F-454C-845E-4462F7AA8943} 1364
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d92971ab-f030-43c8-8545-c66c818d0e05} -burn.filehandle.self=1028 -burn.embedded BurnPipe.{BE54EDE9-0318-4176-9954-55E8D7025436} {F51B488A-60C6-4317-8B0F-0D18709C51D2} 2344
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d92971ab-f030-43c8-8545-c66c818d0e05} -burn.filehandle.self=1028 -burn.embedded BurnPipe.{BE54EDE9-0318-4176-9954-55E8D7025436} {F51B488A-60C6-4317-8B0F-0D18709C51D2} 2344
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C825AE23-A824-45F9-BFCF-07F03454AA0D} {9445DA7D-269C-4113-8AED-7A777B3BCF26} 3892
        8⤵
        Modifies registry class
        
        PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e573f4e.rbs

Filesize
19KB

MD5
9b2fa85f1f359590247d02504175d737

SHA1
c4afca7125beea7811bdb1ca91da70c04de0d1fa

SHA256
97e714af89dfdb2b79a7cbcb8b76c12af3b5b51e4e518398f080b9d394d4f975

SHA512
7eb19bedd649eab4070cbb77b220549da7aad30507a202777c61ae79a2450ce629216a3c88d48888f6f5f915435e33a7c9adba657401e55c921551b950c9047e

Download Submit
C:\Config.Msi\e573f5a.rbs

Filesize
19KB

MD5
9a2544d774181e3f1b520b730831ae0f

SHA1
f1d9dba004011d0560b929bea3d8ca4e519c3f7b

SHA256
2f8bdd3bec8d1449ca0539167da74403c87e70dbcb01443b1408a4eb83fe7c72

SHA512
9168e58fcb14a5bf37462f67e9a07a34ed373c9a222881a96a110d3de1495eeff10580d98f19d9f4779fb6bdf948b5b5a21e3b6fa3a5f3889cb0dd3edcbaadf8

Download Submit
C:\Config.Msi\e573f5f.rbs

Filesize
21KB

MD5
08ee7825e48a0ac07aae56893bf5a6b6

SHA1
001fc5aedc9494c737b5580c7332428a56fc6e1a

SHA256
98d6eb46a8ffa06051121791b0515d3ea8b792664502adf99e7410433a6450d3

SHA512
c40f5f4fb1553263ad783cadeb522c2fe9fbbb4d9cc4c3699a42cb6303e2a184122f2a3f7c1d56dae292a8b0e52da8d33eea244960b0e6cc305cd9165d7754bd

Download Submit
C:\Config.Msi\e573f6e.rbs

Filesize
21KB

MD5
ca5dc5afdf1b5a18789f76b71f392073

SHA1
f09ce952487eae58f48a038e8a9c657c4ae7ce67

SHA256
21e1402faed0ffdf45975da9e8c10d95118d89d472c067359537a62bee40bb79

SHA512
e489ff295b859b2c9b4b345c9a961564bedfeebac7e9093e6e68db09e108ef38e8821dbc60c51b4505fef49d16887a535464801c32652a60cf1c3d725f59a909

Download Submit
C:\Program Files (x86)\ReksFN S13\reksfn_s13.exe

Filesize
217KB

MD5
8aa09ca4393781484d3b853fa94367fa

SHA1
2153d5225e21757e053e47cd15aa9dbdbda5af02

SHA256
a1cb44302215bfb3c9b4a0e8ca9be78f264f84aa127ab247a09b7202df5e814b

SHA512
8b1073c17ae3ecaa1ae7af47c4decf418dac263c48a071125f17e6ed589d9bf618d1dd120a8384e6733f092b3e5ea295b263b3c161abcdcb62b325461044e5ce

Download Submit
C:\ProgramData\Package Cache\{d92971ab-f030-43c8-8545-c66c818d0e05}\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230526224913_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
2d0b248a8831979e3230199a8aba2aa8

SHA1
9a2c43ad5295786571ed8e4fec5659a201e9836b

SHA256
b69e8d12c6d36f06705890714a0b29b4cdd775c48cf14fb78ca3fce039b3a26f

SHA512
3c889941414911c08563135d64c6b9fc108715104ca52ec5d1432d0226e5ee1bf72ca62dee09b55bdd311b1c331e1301b168fc67726f5eb237c8ab9d701cf2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20230526224913_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
d04a5741064de76b021273f174e6d37e

SHA1
08f3378e64ffbf17fc6fe1715379859bb981d8a2

SHA256
44601f23b421efa420e3b684b0bf559788b5d895a6304cf33e74f54e1885ffd5

SHA512
f7e6941481a2e0df911e7bd1d9be7ed48de3156254f6c73aea2c26f78baaa4d3e03efbf3691e87ccab25d7cc95d37e578d9a6fa40693804b6efed27e0a7c1e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe

Filesize
24.3MB

MD5
119dde89a20674349a51893114eae5ed

SHA1
4de9f6681f0f213b132def3af88a3c68483f5f32

SHA256
26c2c72fba6438f5e29af8ebc4826a1e424581b3c446f8c735361f1db7beff72

SHA512
9be541f26b5d43cee1766239d8880ab7d30d18fea2f17e28d63a498b30b7dd0918f389805398cb56b0df0df17c8633cb73f9e46672c93b21be04b85bda7a2648

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe

Filesize
24.3MB

MD5
119dde89a20674349a51893114eae5ed

SHA1
4de9f6681f0f213b132def3af88a3c68483f5f32

SHA256
26c2c72fba6438f5e29af8ebc4826a1e424581b3c446f8c735361f1db7beff72

SHA512
9be541f26b5d43cee1766239d8880ab7d30d18fea2f17e28d63a498b30b7dd0918f389805398cb56b0df0df17c8633cb73f9e46672c93b21be04b85bda7a2648

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4HO60.tmp\VC_redist.x64.exe

Filesize
24.3MB

MD5
119dde89a20674349a51893114eae5ed

SHA1
4de9f6681f0f213b132def3af88a3c68483f5f32

SHA256
26c2c72fba6438f5e29af8ebc4826a1e424581b3c446f8c735361f1db7beff72

SHA512
9be541f26b5d43cee1766239d8880ab7d30d18fea2f17e28d63a498b30b7dd0918f389805398cb56b0df0df17c8633cb73f9e46672c93b21be04b85bda7a2648

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIN05.tmp\ReksFN_S13_Installer.tmp

Filesize
3.1MB

MD5
e03317e36c11cfcf7835afae3e9e1bdf

SHA1
9898390399983e5d32a87c2034ca3a42d758b8f7

SHA256
730b1140758d0bfbb7d3a94412b44825bb011877419458a90b8dd63f001bc525

SHA512
d15684aa9b55143d05cde4c0418ecf13a1e6168e974a0650d206d36419b747c481c02835c18ea69556602dbae97380fe8b6d0db4876be48bb53d1e2c608d806a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PIN05.tmp\ReksFN_S13_Installer.tmp

Filesize
3.1MB

MD5
e03317e36c11cfcf7835afae3e9e1bdf

SHA1
9898390399983e5d32a87c2034ca3a42d758b8f7

SHA256
730b1140758d0bfbb7d3a94412b44825bb011877419458a90b8dd63f001bc525

SHA512
d15684aa9b55143d05cde4c0418ecf13a1e6168e974a0650d206d36419b747c481c02835c18ea69556602dbae97380fe8b6d0db4876be48bb53d1e2c608d806a

Download Submit
C:\Windows\Installer\e573f5b.msi

Filesize
180KB

MD5
a16b7d2616657a5ca44c480a82dcdd74

SHA1
1da94c7ea9d2042e6d71e5b2cdbf2256b3956c2b

SHA256
293eba293c34aa7257abb89d7e6aa3dce218b28f565a664a3c531a64e46be379

SHA512
f8244892766553238c56618be1e96515e58cae2b8c3db60505034f4e44b8e3faf766d79839eb0ce0e57128e8a6af71163260a851016b9446ac997b6945e6fc7f

Download Submit
C:\Windows\Temp\{0DF6AF4C-C690-42F3-8811-937EE7F8F9BB}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Windows\Temp\{0DF6AF4C-C690-42F3-8811-937EE7F8F9BB}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
7cf46d8dfb686998aaaf81e27b995e8c

SHA1
c5638a049787ce441c9720c92d3cd02aa3b02429

SHA256
120019a0ac9f54224fc9787afba241bd9faaecef489be5a660bb16e85df052e4

SHA512
66cf76324e373d3be6cbef39535b419eda486a8f43c305c38a8c01cfc05f9e4073aeade808db8dea306fd3251955e177e45ab578a57114bac1d2df54b4e95efe

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
21742d42a69cd5caf3a8a2755fb0d472

SHA1
2f081e6a2e3f3f6bbf40e8645e2e85678f52a769

SHA256
51d43233a4a4726e4bf0cb65214dc54cf7b703a980f7b0a276f37bfd2bd7761b

SHA512
53b801763a891a7ac40fd198d91d700050272c9445b84445edfbbe797a4f4d28efbc793297ca45f43cb53db2d0710bf9cf45eba664d70cc414ef73545b834fae

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\cab5046A8AB272BF37297BB7928664C9503

Filesize
925KB

MD5
49d2d776f9d88979fff9041b021ebce6

SHA1
0e505bff7ccb0913a5e2e1c49b5b4cd86102541d

SHA256
5333dd41789fcb64b9da329e14b34544031b8cc4fc2b5f863a01d425064a7954

SHA512
555a9f091bc6cdbe4bc6f9ed40bb3f92129b1bf6db9108c65ea4d8cf837fdd7d47749b33ae9b8a4ae606247485f29968ae52d5c49a086e2522444b02f440c913

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\vcRuntimeAdditional_x64

Filesize
180KB

MD5
5454587e1613092539742efe1183dd67

SHA1
3a26f9456051d342758732f66e5ed751d8afda70

SHA256
cfcdba2bff2f9933db7af33ed47c6a43f484fd8c8b844c246506fc3a5329b6f4

SHA512
c73b6cb8dfce6a52f82ea289f43cdaf198dfc0bfbc406afbd8edc74e5724e0b492850c56d9540e723b60ac0a43be3b4f5c5e6d471c4bc7e4191c04498e57de22

Download Submit
C:\Windows\Temp\{5BB872EF-F57A-49D8-93FB-C2CBEA2D6E43}\vcRuntimeMinimum_x64

Filesize
180KB

MD5
a16b7d2616657a5ca44c480a82dcdd74

SHA1
1da94c7ea9d2042e6d71e5b2cdbf2256b3956c2b

SHA256
293eba293c34aa7257abb89d7e6aa3dce218b28f565a664a3c531a64e46be379

SHA512
f8244892766553238c56618be1e96515e58cae2b8c3db60505034f4e44b8e3faf766d79839eb0ce0e57128e8a6af71163260a851016b9446ac997b6945e6fc7f

Download Submit
C:\Windows\Temp\{8B88D652-63B2-4337-9611-9A6EA9B2A0DF}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{8B88D652-63B2-4337-9611-9A6EA9B2A0DF}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/1036-140-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1036-133-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/1036-705-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/4344-142-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4344-141-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4344-138-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4344-420-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4344-701-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download
memory/4344-704-0x0000000000400000-0x0000000000726000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads