Analysis Overview
SHA256
bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
Threat Level: Known bad
The file af64b568501ce3d7e43ace3dca1183e2.bin was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Loads dropped DLL
Drops startup file
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-31 02:49
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 02:49
Reported
2023-10-31 02:52
Platform
win10v2004-20231023-en
Max time kernel
152s
Max time network
146s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6beb0cb347db9a2f.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6beb0cb347db9a2f.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\6beb0cb347db9a2f.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\BlockInstall.xhtml | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\InstallSkip.vsdx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6beb0cb347db9a2f.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ReadCopy.dotx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\RegisterUnlock.xltx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\RequestSwitch.xlsx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ResolveCompare.raw | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\StartExport.htm | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\pawufefu\ReadMe.txt | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\CheckpointLimit.easmx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\CompareHide.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\CompleteRestore.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\InstallExport.mpv2 | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\RevokeRemove.mht | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\SuspendConnect.gif | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\GrantDisconnect.ico | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\TraceResize.mhtml | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\UseSwitch.mht | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9E08E773-4CD6-4234-8DDB-3CBBF4A050A0} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIED49.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEDA8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58eb74.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58eb74.msi | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2852 wrote to memory of 4624 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
| PID 2852 wrote to memory of 4624 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\srtasks.exe |
| PID 2852 wrote to memory of 1344 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2852 wrote to memory of 1344 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2852 wrote to memory of 1344 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 1344 wrote to memory of 3920 | N/A | C:\Windows\syswow64\MsiExec.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1344 wrote to memory of 3920 | N/A | C:\Windows\syswow64\MsiExec.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A02C15D667296BF410A557C25210E380
C:\Windows\system32\wbem\wmic.exe
"C:\p\..\Windows\j\pdoj\ji\..\..\..\system32\tuh\..\wbem\c\hkbt\v\..\..\..\wmic.exe" shadowcopy delete
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x41c 0x4a8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 98.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIEDA8.tmp
| MD5 | 718d001ca0e953c5f52f8a4ae2697411 |
| SHA1 | 4e5727a404418663b228fedba2007de26f830b07 |
| SHA256 | 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd |
| SHA512 | 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc |
C:\Windows\Installer\MSIEDA8.tmp
| MD5 | 718d001ca0e953c5f52f8a4ae2697411 |
| SHA1 | 4e5727a404418663b228fedba2007de26f830b07 |
| SHA256 | 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd |
| SHA512 | 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc |
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cce326af-4643-4a12-a380-014ce4469c27}_OnDiskSnapshotProp
| MD5 | 4565da4926d6dc0261b79be07494e636 |
| SHA1 | c0b269ae72dc4c1753ea73769cffa06b1144060a |
| SHA256 | c5cbf78f78b1eab7258562fd59168f5847cfd38c8b90d6324f51c277910a7dc1 |
| SHA512 | 991e828c4bd48cd30e7cce460243b51deae018cc5532a37bc9edf9db291720e594875edeafb45c6a145465d36cdeb4a6278b8355782c0d633e3929ff1b4f53d0 |
memory/1344-19-0x0000000002820000-0x000000000287D000-memory.dmp
memory/1344-24-0x0000000002820000-0x000000000287D000-memory.dmp
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 13fa4befb65ae433cdf5a0ae55696417 |
| SHA1 | fc9d107572403d0ee3d57c5ce03ab2ed9114018f |
| SHA256 | 2ce4bdff6731ae8fd3bf0e02187ea9eac73cb354a0d14767d232d57632ca4ceb |
| SHA512 | af363dd6479d74c9ea961382d1ef66d176f7b8cd0a63f74fe26980268a4c3c7646b5cf59555b92594639f3fe7ca26873f6454f3dec04ba7508f2a95ed630d139 |
memory/1344-27-0x0000000002820000-0x000000000287D000-memory.dmp
memory/1344-30-0x0000000002820000-0x000000000287D000-memory.dmp
C:\Users\DECRYPT-FILES.txt
| MD5 | 77c3a614c675f2b5c7cdb563292f608e |
| SHA1 | 5b98149307ec0cd34985a632295296514ac78781 |
| SHA256 | c417d48e0c3afa49ed2a5bab55a7f89c95c18f0382b5232e3697ac0b311e2d42 |
| SHA512 | 96cd68e63f7a531cc4caef7b4844f3d038ace8fb587f664342e2539bd0c43da9da206ef7a0282bb612197cff647a2bdff16b67b98d259606e866d6e6a7e616b5 |
C:\Config.Msi\e58eb75.rbs
| MD5 | ab05d16b471c6eee2d6202ffbc469058 |
| SHA1 | bff924829a18da8a27014230a8c7eeca514dfa0e |
| SHA256 | c109fca02d8d71c6fa0ff04855c32522aaae478ca5b7997b6443f4183459c922 |
| SHA512 | 05728b65a4123ec2486699d0457827b9604d951ef2f1b372779ed86cc1646c44849140b2fda7b0cc4326e4f0b49c5aee31834320c55ec3fdf3e6774f9297274e |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1344-766-0x0000000002820000-0x000000000287D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_B05958E041E04BBCB35D04BC68F4C579.dat
| MD5 | c171e02f9bbf52b4614b944705cdde91 |
| SHA1 | 99d01ad9c82c8b7688117c00e7603678635fdd36 |
| SHA256 | 7ca59b1f475f59187fa610ad44ec38406b1d01a837e6b90920ab1097d71e0208 |
| SHA512 | 89a6d930710ac7413d29f1ba14c53901adf8ef055e76bb551a63167ea5b29a032314bf7ca16f5b5337aee45947e62eac18405e595a07cf1699a5063a70c90827 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 02:49
Reported
2023-10-31 02:52
Platform
win7-20231020-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Maze
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\ClearMount.eps | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ConfirmSwitch.cab | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ImportRead.xml | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\SwitchClose.asx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\FormatResume.ocx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\RedoMerge.dwfx | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\AddConnect.au | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\AssertEnter.ico | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\DisableRestore.mp4v | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\JoinUse.rtf | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\PingUndo.mhtml | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ConnectResume.jpeg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\DismountWrite.mpa | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\EnableInitialize.7z | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ExitResume.asp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\FindGroup.vdw | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\SplitConvert.3g2 | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\StepUndo.ram | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\SyncDeny.emf | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\UnprotectUnlock.midi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\UseRead.cab | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\pawufefu\ReadMe.txt | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\RemoveCopy.7z | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\6dc90cd941a81769.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\ExportTest.mpp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\OpenFind.odt | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\CompleteRemove.mpeg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt | C:\Windows\syswow64\MsiExec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f7683a2.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI85A4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8603.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f7683a1.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7683a1.msi | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\af64b568501ce3d7e43ace3dca1183e2.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000005AC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A58EC127D954BA3C811C961BB65C90F5
C:\Windows\system32\wbem\wmic.exe
"C:\nrxv\a\..\..\Windows\c\opw\ynl\..\..\..\system32\snk\a\..\..\wbem\lxsei\ecdjh\..\..\wmic.exe" shadowcopy delete
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Network
Files
C:\Windows\Installer\MSI8603.tmp
| MD5 | 718d001ca0e953c5f52f8a4ae2697411 |
| SHA1 | 4e5727a404418663b228fedba2007de26f830b07 |
| SHA256 | 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd |
| SHA512 | 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc |
\Windows\Installer\MSI8603.tmp
| MD5 | 718d001ca0e953c5f52f8a4ae2697411 |
| SHA1 | 4e5727a404418663b228fedba2007de26f830b07 |
| SHA256 | 53a21f26abc617eda7de86aaad08a2e6df7be31ab529a2f906951baedefe47fd |
| SHA512 | 3f8b80969e38af1138404f05bcab313f8167acc14dc7c905f9bd25e244e4a4d5bca61c601f5a50a5e8bf57668c4100adb08c4fc31668c88814a12c86f36784fc |
memory/2592-13-0x00000000023B0000-0x000000000240D000-memory.dmp
memory/2592-18-0x00000000023B0000-0x000000000240D000-memory.dmp
memory/2592-20-0x00000000023B0000-0x000000000240D000-memory.dmp
memory/2592-23-0x00000000023B0000-0x000000000240D000-memory.dmp
C:\$Recycle.Bin\DECRYPT-FILES.txt
| MD5 | fb782ce8aaf2eee1839a6ccd42cc1d37 |
| SHA1 | 179d3fb8a1690314a520129a0704399cfe355d6f |
| SHA256 | 1300f288f0f36f534ccc2897a0653a5e7f2655487f6d66aae7c93895e1892388 |
| SHA512 | d3083e6901d9845d14472db33d4e53d0db7adce42d48b50941678a08b84014327ec9902a019615ca6aef90d06d147cfa53be5152ccebe280671ba4fa96b313c8 |
C:\Config.Msi\f7683a3.rbs
| MD5 | ad73565c3a021e7afc57b2be3df8ef01 |
| SHA1 | d13bf86e286520c30eaf5fd21a57564903924d68 |
| SHA256 | 0eafc10378df64d9ca5223f10e482a23b534b5de8890f95d9d96205115dab224 |
| SHA512 | 645b62cf20b09d40535a59805f781fadbe252234c4b5be5bddca88c8b6ae52e9ed84446394997e20643cbc8d009de80b3f5c8ade1c67c47253e381957329ed58 |
memory/2592-801-0x00000000023B0000-0x000000000240D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_2BFC39EC52024679BD3781D4359B334F.dat
| MD5 | 663fdb249d342d3f0fffec117cdfa382 |
| SHA1 | 6dd43fceb2908949bf1d2a4538ffe7a550862c0c |
| SHA256 | a08023d0a806a85aa75b507297db1fc5c363410d98b8c4fc2145c7889552c9e8 |
| SHA512 | 1f99aac77e8d39e444214ce379957bbc4b8acb3a56f6fbb47c2c67520f4f0c493a896b8ca06888cf41bdff7e9bced117a09a331c233c1e623dbf8210c86024fc |