ff96f83670b65690810cb178926cf2a945d075bcad6a729b0279c6a3bf0bcf93

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4.msi
Size

126KB
MD5

478dcb54e0a610a160a079656b9582de
SHA1

5ea03fa8326ed87a0c81740092c131f23bc5f651
SHA256

8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4
SHA512

3b1676e12e9b185e9f5ca7dfd43702fd04cc237c21b42137204db0d91bef39e778159115b1113ad3686e45ff9b2df3e5157a3d402ccccd87a656ddbf2b6c734e
SSDEEP

1536:1lnjg5f3DXJLAsfog8Ct45QgVuS3R7YjRk8vYRUoAd2Qf:joJLAsmdi

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2460	MSI8BDD.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Messaging\28206591adfef0f5e0a2887209d9dd55\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbf8f40c40bd6f57\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_lsi_sas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_61a63821397a90a8\lsi_sas2.inf_loc.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-codepage-708_31bf3856ad364e35_6.1.7600.16385_none_2ae246a0b4dfd97e\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_6fb51b358e21d75f\correct.avi.locked	MSI8BDD.tmp
File opened for modification	C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.6.0.Microsoft.Ink.config	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..haringapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a392abf1026b979\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-netpacerinf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7a4c7437aadd160\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-optionaltsps.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_41171e759c0e13cd\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rolspanel.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f5efe7e190e2986d\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_gray_thunderstorm.png.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\settings.js.locked	MSI8BDD.tmp
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire573b08f5#\45c73b666d25924eb01d83df44e6003e\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_46762abe7c82b9e8\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_thunderstorm.png.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-peerdist_31bf3856ad364e35_6.1.7600.16385_none_7919860403cdb261\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17514_none_d06ac9aad230c1d6\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\Media\Garden\Windows Hardware Remove.wav.locked	MSI8BDD.tmp
File created	C:\Windows\servicing\Packages\Microsoft-Windows-Gadget-Platform-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..nesweeper.resources_31bf3856ad364e35_6.1.7600.16385_it-it_77c3d512afc73bea\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\7f0531cbaadefd63fb9c1f7ae51fc668\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~zh-CN~7.1.7601.16492.mum.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_brmfcmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_62569aa1b0123319\brmfcmdm.inf_loc.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..ctivation.resources_31bf3856ad364e35_6.1.7600.16385_en-us_581f4464e637a2c6\HELP_What_is_Activation.rtf.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-langreg.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fd3bfb25937494ff\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7600.16385_none_c4d1464ab88fbcb4\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c31e7d0812c8dc9c\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..networkconfigwizard_31bf3856ad364e35_6.1.7601.17514_none_3712ac6ce5bea376\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\servicing\Sessions\31065561_629570944.xml.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_hidserv.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b0fe3f001c80fb07\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b8b7e5c5ba11edf8\dv_aspnetmmc.chm.locked	MSI8BDD.tmp
File created	C:\Windows\servicing\Version\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_38563db42d064525\playready_eula.txt.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-100.asp.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ndservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf83b64046ddace7\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\84b83e7639310b35b5ce150df62a2843\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d45d01f33688f55f\adp94xx.inf_loc.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..panese_dec_lk411-aj_31bf3856ad364e35_6.1.7601.17514_none_afe5eac6921f1c8c\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Balloon.wav.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_b7aa02fc1797974c\IMTCLS.IMD.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_CommonParameters.help.txt.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..revention.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c80b734bdadc6581\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_746a89639016e5ce\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_en_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..tomizationsnonwinpe_31bf3856ad364e35_6.1.7601.17514_none_29f4eed2a5d64c25\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_fr_31bf3856ad364e35\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..-heap-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2f5a8be71ffadebb\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnphotplugui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8f1b182d2b805d95\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..serverbox.resources_31bf3856ad364e35_6.1.7600.16385_de-de_507fb5d2caba6cfb\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..serverbox.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2840d40276de7820\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.resources\3.5.0.0_fr_31bf3856ad364e35\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\main.js.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_40835b7502551707\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Logoff Sound.wav.locked	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_32d103f978c42b21\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\Performance\WinSAT\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_hpsamd.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b66292cf4a8c0b22\READ_ME4.html	MSI8BDD.tmp
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-msdri_31bf3856ad364e35_6.1.7601.17514_none_c42ec687fee190a5\READ_ME4.html	MSI8BDD.tmp

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2916	vssadmin.exe

Kills process with taskkill 40 IoCs

evasion

pid	Process
952	taskkill.exe
2804	taskkill.exe
572	taskkill.exe
1844	taskkill.exe
2452	taskkill.exe
2676	taskkill.exe
2580	taskkill.exe
2568	taskkill.exe
2868	taskkill.exe
2848	taskkill.exe
2356	taskkill.exe
1956	taskkill.exe
2688	taskkill.exe
552	taskkill.exe
1152	taskkill.exe
280	taskkill.exe
2696	taskkill.exe
1960	taskkill.exe
824	taskkill.exe
916	taskkill.exe
1036	taskkill.exe
1692	taskkill.exe
700	taskkill.exe
1584	taskkill.exe
1244	taskkill.exe
688	taskkill.exe
1756	taskkill.exe
1048	taskkill.exe
1932	taskkill.exe
1716	taskkill.exe
2972	taskkill.exe
992	taskkill.exe
2508	taskkill.exe
2232	taskkill.exe
780	taskkill.exe
568	taskkill.exe
1784	taskkill.exe
1988	taskkill.exe
3052	taskkill.exe
2816	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1464	msiexec.exe
1464	msiexec.exe
2460	MSI8BDD.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2228	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeSecurityPrivilege	1464	msiexec.exe
Token: SeCreateTokenPrivilege	2228	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2228	msiexec.exe
Token: SeLockMemoryPrivilege	2228	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2228	msiexec.exe
Token: SeMachineAccountPrivilege	2228	msiexec.exe
Token: SeTcbPrivilege	2228	msiexec.exe
Token: SeSecurityPrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeLoadDriverPrivilege	2228	msiexec.exe
Token: SeSystemProfilePrivilege	2228	msiexec.exe
Token: SeSystemtimePrivilege	2228	msiexec.exe
Token: SeProfSingleProcessPrivilege	2228	msiexec.exe
Token: SeIncBasePriorityPrivilege	2228	msiexec.exe
Token: SeCreatePagefilePrivilege	2228	msiexec.exe
Token: SeCreatePermanentPrivilege	2228	msiexec.exe
Token: SeBackupPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeShutdownPrivilege	2228	msiexec.exe
Token: SeDebugPrivilege	2228	msiexec.exe
Token: SeAuditPrivilege	2228	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2228	msiexec.exe
Token: SeChangeNotifyPrivilege	2228	msiexec.exe
Token: SeRemoteShutdownPrivilege	2228	msiexec.exe
Token: SeUndockPrivilege	2228	msiexec.exe
Token: SeSyncAgentPrivilege	2228	msiexec.exe
Token: SeEnableDelegationPrivilege	2228	msiexec.exe
Token: SeManageVolumePrivilege	2228	msiexec.exe
Token: SeImpersonatePrivilege	2228	msiexec.exe
Token: SeCreateGlobalPrivilege	2228	msiexec.exe
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeBackupPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeRestorePrivilege	1464	msiexec.exe
Token: SeTakeOwnershipPrivilege	1464	msiexec.exe
Token: SeDebugPrivilege	2460	MSI8BDD.tmp
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2228	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2460	1464	msiexec.exe	32
PID 1464 wrote to memory of 2460	1464	msiexec.exe	32
PID 1464 wrote to memory of 2460	1464	msiexec.exe	32
PID 2460 wrote to memory of 2912	2460	MSI8BDD.tmp	34
PID 2460 wrote to memory of 2912	2460	MSI8BDD.tmp	34
PID 2460 wrote to memory of 2912	2460	MSI8BDD.tmp	34
PID 2912 wrote to memory of 2916	2912	cmd.exe	36
PID 2912 wrote to memory of 2916	2912	cmd.exe	36
PID 2912 wrote to memory of 2916	2912	cmd.exe	36
PID 2460 wrote to memory of 2712	2460	MSI8BDD.tmp	37
PID 2460 wrote to memory of 2712	2460	MSI8BDD.tmp	37
PID 2460 wrote to memory of 2712	2460	MSI8BDD.tmp	37
PID 2712 wrote to memory of 2688	2712	cmd.exe	39
PID 2712 wrote to memory of 2688	2712	cmd.exe	39
PID 2712 wrote to memory of 2688	2712	cmd.exe	39
PID 2460 wrote to memory of 2716	2460	MSI8BDD.tmp	41
PID 2460 wrote to memory of 2716	2460	MSI8BDD.tmp	41
PID 2460 wrote to memory of 2716	2460	MSI8BDD.tmp	41
PID 2716 wrote to memory of 1244	2716	cmd.exe	43
PID 2716 wrote to memory of 1244	2716	cmd.exe	43
PID 2716 wrote to memory of 1244	2716	cmd.exe	43
PID 2460 wrote to memory of 1192	2460	MSI8BDD.tmp	44
PID 2460 wrote to memory of 1192	2460	MSI8BDD.tmp	44
PID 2460 wrote to memory of 1192	2460	MSI8BDD.tmp	44
PID 1192 wrote to memory of 552	1192	cmd.exe	46
PID 1192 wrote to memory of 552	1192	cmd.exe	46
PID 1192 wrote to memory of 552	1192	cmd.exe	46
PID 2460 wrote to memory of 1548	2460	MSI8BDD.tmp	47
PID 2460 wrote to memory of 1548	2460	MSI8BDD.tmp	47
PID 2460 wrote to memory of 1548	2460	MSI8BDD.tmp	47
PID 1548 wrote to memory of 2804	1548	cmd.exe	49
PID 1548 wrote to memory of 2804	1548	cmd.exe	49
PID 1548 wrote to memory of 2804	1548	cmd.exe	49
PID 2460 wrote to memory of 2660	2460	MSI8BDD.tmp	50
PID 2460 wrote to memory of 2660	2460	MSI8BDD.tmp	50
PID 2460 wrote to memory of 2660	2460	MSI8BDD.tmp	50
PID 2660 wrote to memory of 572	2660	cmd.exe	52
PID 2660 wrote to memory of 572	2660	cmd.exe	52
PID 2660 wrote to memory of 572	2660	cmd.exe	52
PID 2460 wrote to memory of 940	2460	MSI8BDD.tmp	53
PID 2460 wrote to memory of 940	2460	MSI8BDD.tmp	53
PID 2460 wrote to memory of 940	2460	MSI8BDD.tmp	53
PID 940 wrote to memory of 824	940	cmd.exe	55
PID 940 wrote to memory of 824	940	cmd.exe	55
PID 940 wrote to memory of 824	940	cmd.exe	55
PID 2460 wrote to memory of 1424	2460	MSI8BDD.tmp	56
PID 2460 wrote to memory of 1424	2460	MSI8BDD.tmp	56
PID 2460 wrote to memory of 1424	2460	MSI8BDD.tmp	56
PID 1424 wrote to memory of 916	1424	cmd.exe	58
PID 1424 wrote to memory of 916	1424	cmd.exe	58
PID 1424 wrote to memory of 916	1424	cmd.exe	58
PID 2460 wrote to memory of 2520	2460	MSI8BDD.tmp	59
PID 2460 wrote to memory of 2520	2460	MSI8BDD.tmp	59
PID 2460 wrote to memory of 2520	2460	MSI8BDD.tmp	59
PID 2520 wrote to memory of 2568	2520	cmd.exe	61
PID 2520 wrote to memory of 2568	2520	cmd.exe	61
PID 2520 wrote to memory of 2568	2520	cmd.exe	61
PID 2460 wrote to memory of 1808	2460	MSI8BDD.tmp	62
PID 2460 wrote to memory of 1808	2460	MSI8BDD.tmp	62
PID 2460 wrote to memory of 1808	2460	MSI8BDD.tmp	62
PID 1808 wrote to memory of 1036	1808	cmd.exe	64
PID 1808 wrote to memory of 1036	1808	cmd.exe	64
PID 1808 wrote to memory of 1036	1808	cmd.exe	64
PID 2460 wrote to memory of 2576	2460	MSI8BDD.tmp	65

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8177455ab89cc96f0c26bc42907da1a4f0b21fdc96a0cc96650843fd616551f4.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2228

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\Installer\MSI8BDD.tmp
  "C:\Windows\Installer\MSI8BDD.tmp" debug
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c vssadmin delete shadows /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all
      4⤵
      Interacts with shadow copies
      PID:2916
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im msftesql.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msftesql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2688
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqlagent.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqlagent.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1244
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:552
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqlservr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqlservr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqlwriter.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqlwriter.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:572
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im oracle.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im oracle.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:824
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im ocssd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ocssd.exe
      4⤵
      Kills process with taskkill
      PID:916
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im dbsnmp.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im dbsnmp.exe
      4⤵
      Kills process with taskkill
      PID:2568
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im synctime.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im synctime.exe
      4⤵
      Kills process with taskkill
      PID:1036
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mydesktopqos.exe
    3⤵
    PID:2576
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mydesktopqos.exe
      4⤵
      Kills process with taskkill
      PID:1844
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im agntsvc.exeisqlplussvc.exe
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im agntsvc.exeisqlplussvc.exe
      4⤵
      Kills process with taskkill
      PID:1784
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im xfssvccon.exe
    3⤵
    PID:1496
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im xfssvccon.exe
      4⤵
      Kills process with taskkill
      PID:1716
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mydesktopservice.exe
    3⤵
    PID:1908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mydesktopservice.exe
      4⤵
      Kills process with taskkill
      PID:2972
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im ocautoupds.exe
    3⤵
    PID:1356
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ocautoupds.exe
      4⤵
      Kills process with taskkill
      PID:688
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im agntsvc.exeagntsvc.exe
    3⤵
    PID:996
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im agntsvc.exeagntsvc.exe
      4⤵
      Kills process with taskkill
      PID:992
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im agntsvc.exeencsvc.exe
    3⤵
    PID:2976
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im agntsvc.exeencsvc.exe
      4⤵
      Kills process with taskkill
      PID:1988
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im firefoxconfig.exe
    3⤵
    PID:616
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im firefoxconfig.exe
      4⤵
      Kills process with taskkill
      PID:2452
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im tbirdconfig.exe
    3⤵
    PID:1708
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im tbirdconfig.exe
      4⤵
      Kills process with taskkill
      PID:1152
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im ocomm.exe
    3⤵
    PID:2212
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ocomm.exe
      4⤵
      Kills process with taskkill
      PID:1756
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mysqld.exe
    3⤵
    PID:2156
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mysqld.exe
      4⤵
      Kills process with taskkill
      PID:280
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mysqld-nt.exe
    3⤵
    PID:1588
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mysqld-nt.exe
      4⤵
      Kills process with taskkill
      PID:1692
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mysqld-opt.exe
    3⤵
    PID:2956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mysqld-opt.exe
      4⤵
      Kills process with taskkill
      PID:2508
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im dbeng50.exe
    3⤵
    PID:832
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im dbeng50.exe
      4⤵
      Kills process with taskkill
      PID:2232
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqbcoreservice.exe
    3⤵
    PID:2480
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqbcoreservice.exe
      4⤵
      Kills process with taskkill
      PID:2676
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im excel.exe
    3⤵
    PID:1196
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im excel.exe
      4⤵
      Kills process with taskkill
      PID:3052
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im infopath.exe
    3⤵
    PID:632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im infopath.exe
      4⤵
      Kills process with taskkill
      PID:780
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im msaccess.exe
    3⤵
    PID:3060
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im msaccess.exe
      4⤵
      Kills process with taskkill
      PID:2868
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im mspub.exe
    3⤵
    PID:2920
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mspub.exe
      4⤵
      Kills process with taskkill
      PID:2696
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im onenote.exe
    3⤵
    PID:3040
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im onenote.exe
      4⤵
      Kills process with taskkill
      PID:1048
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im outlook.exe
    3⤵
    PID:2800
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im outlook.exe
      4⤵
      Kills process with taskkill
      PID:568
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im powerpnt.exe
    3⤵
    PID:964
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im powerpnt.exe
      4⤵
      Kills process with taskkill
      PID:2580
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im steam.exe
    3⤵
    PID:3048
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im steam.exe
      4⤵
      Kills process with taskkill
      PID:2816
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im sqlservr.exe
    3⤵
    PID:1568
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sqlservr.exe
      4⤵
      Kills process with taskkill
      PID:952
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im thebat.exe
    3⤵
    PID:3064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im thebat.exe
      4⤵
      Kills process with taskkill
      PID:2848
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im thebat64.exe
    3⤵
    PID:2180
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im thebat64.exe
      4⤵
      Kills process with taskkill
      PID:700
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im thunderbird.exe
    3⤵
    PID:2016
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im thunderbird.exe
      4⤵
      Kills process with taskkill
      PID:2356
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im visio.exe
    3⤵
    PID:2384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im visio.exe
      4⤵
      Kills process with taskkill
      PID:1932
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im winword.exe
    3⤵
    PID:384
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im winword.exe
      4⤵
      Kills process with taskkill
      PID:1960
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im wordpad.exe
    3⤵
    PID:1980
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im wordpad.exe
      4⤵
      Kills process with taskkill
      PID:1584
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c taskkill /f /im tnslsnr.exe
    3⤵
    PID:1856
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im tnslsnr.exe
      4⤵
      Kills process with taskkill
      PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "0000000000000060"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\READ_ME4.html

Filesize
1KB

MD5
d83ac45979eea226dc16a273cbe9cb7c

SHA1
4340ef0c564efd27f279a98eab98a4ab1d55cd1f

SHA256
e9a02e9279cb42bd967d72d6ee371c46a99fc13f794ece358ea2b94d58c5056e

SHA512
d437f2dfc5e4ddf7569466377589b4b1b35c900d0e0e764bfed4bb6aa23d29f9fc7473fb362a745c6433b33fc295f5e5a2283c1e0d103ce7ee37ad9ce2f602ee

Download Submit
C:\Windows\Installer\MSI8BDD.tmp

Filesize
74KB

MD5
26ff72b0b85e764400724e442c164046

SHA1
c789942d013d8b45b6988ecc6491f5f1a1746311

SHA256
c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7

SHA512
fe9fdef93dfc44078cbbedd8d77c150932752be48b5f55eb0477c87bdcc8f4257fbaddf57b7d4a24c975f994d1940862bcd9444dc4b533561a10d27fac6058fe

Download Submit
C:\Windows\Installer\MSI8BDD.tmp

Filesize
74KB

MD5
26ff72b0b85e764400724e442c164046

SHA1
c789942d013d8b45b6988ecc6491f5f1a1746311

SHA256
c3c0cf25d682e981c7ce1cc0a00fa2b8b46cce2fa49abe38bb412da21da99cb7

SHA512
fe9fdef93dfc44078cbbedd8d77c150932752be48b5f55eb0477c87bdcc8f4257fbaddf57b7d4a24c975f994d1940862bcd9444dc4b533561a10d27fac6058fe

Download Submit
memory/2460-11-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2460-12-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-13-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2460-14-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-16-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2460-15-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download