cd1d744dc39adf50bc17b587d203d5fce77995c4c51cc0438187dfc9eabbd948

Analysis

max time kernel
138s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2023 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

desk-zhonwenbao4.9.msi
Size

90.9MB
MD5

9cee7423f1bd5d64559c49689a18c06b
SHA1

5a75b69d2e66fc679c123d60a12712566246904a
SHA256

296608771a852e2e95f8fbd3f1990e671a9b7d44f84470335f262ff9b14b7d1c
SHA512

4e0da5e6fe0205d065cd3eeb9d5e2fb644177d65c273f447686b51d614b5c89a0c435b2ae2698d2a8e2aba5838dc576e5fb2cceb7d44aeea959d9e9369ed6f00
SSDEEP

1572864:3S8hXhuaZPB/j+Q4FAXaG/25Zwd7zZ2r+qriUeB6SXJObHXEq0bT7MbC3IA64Fy1:2aORGqR5ORqrUB7kbon7MbC3z6MbK

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

dac.exe

pid process

1320 dac.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

940 MsiExec.exe
940 MsiExec.exe
940 MsiExec.exe
940 MsiExec.exe
940 MsiExec.exe
940 MsiExec.exe
4688 MsiExec.exe
4688 MsiExec.exe

pid	process
1320	dac.exe

pid	process
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
940	MsiExec.exe
4688	MsiExec.exe
4688	MsiExec.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/memory/1320-89-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral6/memory/1320-87-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral6/memory/1320-90-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral6/memory/1320-91-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral6/memory/1320-92-0x0000000180000000-0x0000000180030000-memory.dmp	upx
behavioral6/memory/1320-101-0x0000000180000000-0x0000000180030000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 6 IoCs

Processes:

dac.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7229E30BCFD0992128433D951137A421_F0BB2463DDCCB4B49DC9200CC9E498E9	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_F0BB2463DDCCB4B49DC9200CC9E498E9	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7229E30BCFD0992128433D951137A421_76EBFC12D6FD7EE9DD82775C12CF3BD5	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7229E30BCFD0992128433D951137A421_76EBFC12D6FD7EE9DD82775C12CF3BD5	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2	dac.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_F7F9B7BDCC367A8E3539D28F7D4D4BA2	dac.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3290.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{997F38C3-E68F-4219-8D4D-C234BE733C5E}	msiexec.exe
File created	C:\Windows\Installer\e592f75.msi	msiexec.exe
File created	C:\Windows\Installer\e592f73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e592f73.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3138.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3699.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d63633bfa43ebaae0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d63633bf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d63633bf000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd63633bf000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d63633bf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

dac.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dac.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dac.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dac.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dac.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dac.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dac.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C83F799F86E9124D8D42C43EB37C3E5\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\67708036E3027134CBB5C9BE30891990\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\PackageCode = "63F29DC7FCF25354CB1205C9543A7856"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\SourceList\PackageName = "desk-zhonwenbao4.9.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3C83F799F86E9124D8D42C43EB37C3E5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\ProductName = "CS-TG-64"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3C83F799F86E9124D8D42C43EB37C3E5\Language = "2052"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\67708036E3027134CBB5C9BE30891990	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4312 msiexec.exe
4312 msiexec.exe

pid	process
4312	msiexec.exe
4312	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	4312	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeMachineAccountPrivilege	3932	msiexec.exe
Token: SeTcbPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeTakeOwnershipPrivilege	3932	msiexec.exe
Token: SeLoadDriverPrivilege	3932	msiexec.exe
Token: SeSystemProfilePrivilege	3932	msiexec.exe
Token: SeSystemtimePrivilege	3932	msiexec.exe
Token: SeProfSingleProcessPrivilege	3932	msiexec.exe
Token: SeIncBasePriorityPrivilege	3932	msiexec.exe
Token: SeCreatePagefilePrivilege	3932	msiexec.exe
Token: SeCreatePermanentPrivilege	3932	msiexec.exe
Token: SeBackupPrivilege	3932	msiexec.exe
Token: SeRestorePrivilege	3932	msiexec.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	3932	msiexec.exe
Token: SeAuditPrivilege	3932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3932	msiexec.exe
Token: SeChangeNotifyPrivilege	3932	msiexec.exe
Token: SeRemoteShutdownPrivilege	3932	msiexec.exe
Token: SeUndockPrivilege	3932	msiexec.exe
Token: SeSyncAgentPrivilege	3932	msiexec.exe
Token: SeEnableDelegationPrivilege	3932	msiexec.exe
Token: SeManageVolumePrivilege	3932	msiexec.exe
Token: SeImpersonatePrivilege	3932	msiexec.exe
Token: SeCreateGlobalPrivilege	3932	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3932	msiexec.exe
Token: SeMachineAccountPrivilege	3932	msiexec.exe
Token: SeTcbPrivilege	3932	msiexec.exe
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeTakeOwnershipPrivilege	3932	msiexec.exe
Token: SeLoadDriverPrivilege	3932	msiexec.exe
Token: SeSystemProfilePrivilege	3932	msiexec.exe
Token: SeSystemtimePrivilege	3932	msiexec.exe
Token: SeProfSingleProcessPrivilege	3932	msiexec.exe
Token: SeIncBasePriorityPrivilege	3932	msiexec.exe
Token: SeCreatePagefilePrivilege	3932	msiexec.exe
Token: SeCreatePermanentPrivilege	3932	msiexec.exe
Token: SeBackupPrivilege	3932	msiexec.exe
Token: SeRestorePrivilege	3932	msiexec.exe
Token: SeShutdownPrivilege	3932	msiexec.exe
Token: SeDebugPrivilege	3932	msiexec.exe
Token: SeAuditPrivilege	3932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3932	msiexec.exe
Token: SeChangeNotifyPrivilege	3932	msiexec.exe
Token: SeRemoteShutdownPrivilege	3932	msiexec.exe
Token: SeUndockPrivilege	3932	msiexec.exe
Token: SeSyncAgentPrivilege	3932	msiexec.exe
Token: SeEnableDelegationPrivilege	3932	msiexec.exe
Token: SeManageVolumePrivilege	3932	msiexec.exe
Token: SeImpersonatePrivilege	3932	msiexec.exe
Token: SeCreateGlobalPrivilege	3932	msiexec.exe
Token: SeCreateTokenPrivilege	3932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3932	msiexec.exe
Token: SeLockMemoryPrivilege	3932	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3932 msiexec.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dac.exe

pid process

1320 dac.exe
1320 dac.exe

pid	process
3932	msiexec.exe

pid	process
1320	dac.exe
1320	dac.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4312 wrote to memory of 940	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 940	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 940	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 1736	4312	msiexec.exe	srtasks.exe
PID 4312 wrote to memory of 1736	4312	msiexec.exe	srtasks.exe
PID 4312 wrote to memory of 4688	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 4688	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 4688	4312	msiexec.exe	MsiExec.exe
PID 4312 wrote to memory of 1320	4312	msiexec.exe	dac.exe
PID 4312 wrote to memory of 1320	4312	msiexec.exe	dac.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\desk-zhonwenbao4.9.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4ECB383C15DE5CF08F0DB319F2462EDA C
2⤵
- Loads dropped DLL
PID:940

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:1736

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B87A052AD09BA6C0B221EB849AC2B677
2⤵
- Loads dropped DLL
PID:4688

C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe
"C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI1CDA.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1CDA.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2BB0.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2BB0.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2D56.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2D56.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2D56.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2DF4.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2DF4.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E62.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2E62.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI324B.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI324B.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\cache_22_7

Filesize
9.0MB

MD5
be5628882d28ba1bdb9850dc4b7e7fa1

SHA1
6d37839c4b8ded05c0e8108696e1b794de59a2a8

SHA256
def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

SHA512
16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe

Filesize
23.0MB

MD5
ec65abfa1f59b0d7d5335150834226b3

SHA1
036768482c85e94135847d91db77a901b21ff621

SHA256
f5842ba5da811ef75225d03c28b7178c47cc358da67ea5d577a29e23eea3fe6a

SHA512
eb605664dfe37fbd30819235b0851b905f8802a596cc8d986fe4322ea899cb55276dcbca5b85c0d7df50b32ad02016bbe98b012585d5fa6722156edcdc427040

Download Submit
C:\Users\Admin\AppData\Roaming\CS-TG-64\tdata\emoji\dac.exe

Filesize
23.0MB

MD5
ec65abfa1f59b0d7d5335150834226b3

SHA1
036768482c85e94135847d91db77a901b21ff621

SHA256
f5842ba5da811ef75225d03c28b7178c47cc358da67ea5d577a29e23eea3fe6a

SHA512
eb605664dfe37fbd30819235b0851b905f8802a596cc8d986fe4322ea899cb55276dcbca5b85c0d7df50b32ad02016bbe98b012585d5fa6722156edcdc427040

Download Submit
C:\Windows\Installer\MSI3138.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSI3138.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSI3290.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
C:\Windows\Installer\MSI3290.tmp

Filesize
540KB

MD5
dfc682d9f93d6dcd39524f1afcd0e00d

SHA1
adb81b1077d14dbe76d9ececfc3e027303075705

SHA256
f0f00100e20741444f8a6f5db8cc826515134622c3a82e4f53ba6237e97a8328

SHA512
52f84956b480bd06914a3615b75ad198a3ce821b0dd88dd30443bf4ea3d406349c95a115c31cb879775bd716563473909d22a8ec34253eca1aa7009845430bc9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7938ecd91d1cd16812cd54cdf71f2e4b

SHA1
6e4edd78bbca895b04abc494ff1beab8940e60dc

SHA256
e1ce61264656d7040ce939e8ee88d111c7836456127059ab3d557875a3fb9957

SHA512
30d8a6ceca94d45d86f72cbf236c891212dc23e5e0f30ee5aa523769d8a8abb3607063000b09419a18f44861b885b48348c21e090fb39bcaaba15564df1b3063

Download Submit
\??\Volume{bf3336d6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c26e6dbd-aba7-468e-b58d-e7b0f43dfba6}_OnDiskSnapshotProp

Filesize
5KB

MD5
886362747c7ebe1ac52de545b8510367

SHA1
c465df3da46c4a25937d7d242adbbd84aef1be00

SHA256
b3a0952a3994d7fa6cc15b2731d85127979bede8ec016dc3426b6892e4560e02

SHA512
6de09dda106f50382269756028a62680fadbfcc566a35993ae215c52e4c31b95dfbf1dec4cbf320936b08cfa1942632026567a28cc540a4ed5e629a78c40a0af

Download Submit
memory/1320-89-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1320-87-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1320-90-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1320-91-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1320-92-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1320-101-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download