1d9f66794a5af4e409a6c6b32a14d674cc1ea96f69e2cf2acb3c7b997750d5f8

Analysis

max time kernel
793s
max time network
887s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
03/02/2024, 13:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MinecraftInstaller.msi
Size

2.5MB
MD5

22991d4ef03118107a943934d92319d1
SHA1

832ea164d844401f9eced5bf84d45ad4b273cf8c
SHA256

1d9f66794a5af4e409a6c6b32a14d674cc1ea96f69e2cf2acb3c7b997750d5f8
SHA512

79a87b895184188d987f9390f28c20ab4d999d953f9c3d3f92f9d0069a0dc6490c4ef69603e12b62554d809a08b97a79b12f98055b0ebc6a91d5215e3b95fd33
SSDEEP

49152:69wfmqHrSa1uL7TFSCEeQ6EOMhKqL0WCb:+7a1ugeQVhLha

Score

6^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2552	msiexec.exe
3	2552	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF8C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF8E8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f5db.msi	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\Installer\SourceHash{733C3ACB-432D-4880-B0E1-660000D7974D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB0C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB1FF2067DB276BF5.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\Installer\e57f5d9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\Installer\{733C3ACB-432D-4880-B0E1-660000D7974D}\minecraft.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DF676FEEBEE84DA427.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{733C3ACB-432D-4880-B0E1-660000D7974D}\minecraft.ico	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\e57f5d9.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF00C22533DBC8BB96.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0527C151278F00BC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA31.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3248	Uninst.exe

Loads dropped DLL 4 IoCs

pid	Process
5032	MsiExec.exe
5008	MsiExec.exe
5008	MsiExec.exe
900	MsiExec.exe

Registers COM server for autorun 1 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b0cc323fcaa8ba2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b0cc323f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b0cc323f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db0cc323f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b0cc323f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\PackageName = "MinecraftInstaller.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FOLDER\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\ProductIcon = "C:\\Windows\\Installer\\{733C3ACB-432D-4880-B0E1-660000D7974D}\\minecraft.ico"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\*\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\DRAGDROPHANDLERS\7-ZIP	Uninst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BCA3C337D23408840B1E6600007D79D4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe
Key created	\REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\ProductName = "Minecraft Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\7-ZIP	Uninst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{23170F69-40C1-278A-1000-000100020000}	Uninst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{23170F69-40C1-278A-1000-000100020000}	Uninst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\PackageCode = "54FE00570550045418568622471E508D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\DRIVE\SHELLEX\DRAGDROPHANDLERS\7-ZIP	Uninst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	Uninst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BCA3C337D23408840B1E6600007D79D4\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BCA3C337D23408840B1E6600007D79D4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1BBEC3237AF740F4DA613B3C4353A9A6\BCA3C337D23408840B1E6600007D79D4	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	msiexec.exe
2748	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5112	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2552	msiexec.exe
Token: SeSecurityPrivilege	2748	msiexec.exe
Token: SeCreateTokenPrivilege	2552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2552	msiexec.exe
Token: SeLockMemoryPrivilege	2552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2552	msiexec.exe
Token: SeMachineAccountPrivilege	2552	msiexec.exe
Token: SeTcbPrivilege	2552	msiexec.exe
Token: SeSecurityPrivilege	2552	msiexec.exe
Token: SeTakeOwnershipPrivilege	2552	msiexec.exe
Token: SeLoadDriverPrivilege	2552	msiexec.exe
Token: SeSystemProfilePrivilege	2552	msiexec.exe
Token: SeSystemtimePrivilege	2552	msiexec.exe
Token: SeProfSingleProcessPrivilege	2552	msiexec.exe
Token: SeIncBasePriorityPrivilege	2552	msiexec.exe
Token: SeCreatePagefilePrivilege	2552	msiexec.exe
Token: SeCreatePermanentPrivilege	2552	msiexec.exe
Token: SeBackupPrivilege	2552	msiexec.exe
Token: SeRestorePrivilege	2552	msiexec.exe
Token: SeShutdownPrivilege	2552	msiexec.exe
Token: SeDebugPrivilege	2552	msiexec.exe
Token: SeAuditPrivilege	2552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2552	msiexec.exe
Token: SeChangeNotifyPrivilege	2552	msiexec.exe
Token: SeRemoteShutdownPrivilege	2552	msiexec.exe
Token: SeUndockPrivilege	2552	msiexec.exe
Token: SeSyncAgentPrivilege	2552	msiexec.exe
Token: SeEnableDelegationPrivilege	2552	msiexec.exe
Token: SeManageVolumePrivilege	2552	msiexec.exe
Token: SeImpersonatePrivilege	2552	msiexec.exe
Token: SeCreateGlobalPrivilege	2552	msiexec.exe
Token: SeCreateTokenPrivilege	2552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2552	msiexec.exe
Token: SeLockMemoryPrivilege	2552	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2552	msiexec.exe
Token: SeMachineAccountPrivilege	2552	msiexec.exe
Token: SeTcbPrivilege	2552	msiexec.exe
Token: SeSecurityPrivilege	2552	msiexec.exe
Token: SeTakeOwnershipPrivilege	2552	msiexec.exe
Token: SeLoadDriverPrivilege	2552	msiexec.exe
Token: SeSystemProfilePrivilege	2552	msiexec.exe
Token: SeSystemtimePrivilege	2552	msiexec.exe
Token: SeProfSingleProcessPrivilege	2552	msiexec.exe
Token: SeIncBasePriorityPrivilege	2552	msiexec.exe
Token: SeCreatePagefilePrivilege	2552	msiexec.exe
Token: SeCreatePermanentPrivilege	2552	msiexec.exe
Token: SeBackupPrivilege	2552	msiexec.exe
Token: SeRestorePrivilege	2552	msiexec.exe
Token: SeShutdownPrivilege	2552	msiexec.exe
Token: SeDebugPrivilege	2552	msiexec.exe
Token: SeAuditPrivilege	2552	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2552	msiexec.exe
Token: SeChangeNotifyPrivilege	2552	msiexec.exe
Token: SeRemoteShutdownPrivilege	2552	msiexec.exe
Token: SeUndockPrivilege	2552	msiexec.exe
Token: SeSyncAgentPrivilege	2552	msiexec.exe
Token: SeEnableDelegationPrivilege	2552	msiexec.exe
Token: SeManageVolumePrivilege	2552	msiexec.exe
Token: SeImpersonatePrivilege	2552	msiexec.exe
Token: SeCreateGlobalPrivilege	2552	msiexec.exe
Token: SeCreateTokenPrivilege	2552	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2552	msiexec.exe
Token: SeLockMemoryPrivilege	2552	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2552	msiexec.exe
2552	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4904	MiniSearchHost.exe
5112	mmc.exe
5112	mmc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 5032	2748	msiexec.exe	82
PID 2748 wrote to memory of 5032	2748	msiexec.exe	82
PID 2748 wrote to memory of 5032	2748	msiexec.exe	82
PID 2748 wrote to memory of 5044	2748	msiexec.exe	86
PID 2748 wrote to memory of 5044	2748	msiexec.exe	86
PID 2748 wrote to memory of 5008	2748	msiexec.exe	89
PID 2748 wrote to memory of 5008	2748	msiexec.exe	89
PID 2748 wrote to memory of 5008	2748	msiexec.exe	89
PID 2748 wrote to memory of 900	2748	msiexec.exe	90
PID 2748 wrote to memory of 900	2748	msiexec.exe	90
PID 2748 wrote to memory of 900	2748	msiexec.exe	90
PID 2728 wrote to memory of 3248	2728	Uninstall.exe	101
PID 2728 wrote to memory of 3248	2728	Uninstall.exe	101
PID 2728 wrote to memory of 3248	2728	Uninstall.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MinecraftInstaller.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2552

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B81E2183BE207A513DD823BF43C245A2 C
  2⤵
  - Loads dropped DLL
  PID:5032
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B8D12303F50B8D1B484B0EE341EAC933
  2⤵
  - Loads dropped DLL
  PID:5008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 70FAFA664A1C6C943E161A0BDA641001 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2176

C:\Program Files\7-Zip\Uninstall.exe
"C:\Program Files\7-Zip\Uninstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\7zB4A7CAA8\Uninst.exe
  C:\Users\Admin\AppData\Local\Temp\7zB4A7CAA8\Uninst.exe /N /D="C:\Program Files\7-Zip\"
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Modifies registry class
  PID:3248

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3596

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E0
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f5da.rbs

Filesize
8KB

MD5
d6d10e2cf49808dc4f05b437ef25db4c

SHA1
7b3178c985467f6c5207706c5e7a7ba4adfdc3d4

SHA256
800d783d5a0b9c6dcc907174d5b987645903f9f3aaa0cbd48a3aecb23e62e8e9

SHA512
0ae66018117ebea4d75a16ef7ddf027fffd9faae2a0043cbe7606c9190c28742c2a347ed53ac63dd87b05dd9ed1ff139f80f29f3612ff2802fd59078ac662d4b

Download Submit
C:\Program Files (x86)\Minecraft Launcher\MinecraftLauncher.exe

Filesize
3.3MB

MD5
0501b8eb39f00dcaa3c89ccec2fbde17

SHA1
cb7b82a5d02a2b5ea9c16b5083015c832b556405

SHA256
161ba4c1b21cd20b15573f0ccfc4a5cbab8dedd94c722cd60afb8551d8d91dc2

SHA512
4ab6a3fd31c7551578f07ada264bb93a22eb16f75fdbcfaecf4c0861535a2f631082da5f6003ff9f57fda231e783cbf200caa6a6d6bdefbe08d64f33c67855b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
7f1b1d27185645258adad2c7d1871e10

SHA1
9629acbf2106fe878d975c6c8f4a5823e2c37eb8

SHA256
9ac745037a5b2314dd9d7f5d25478fea7430a9242e0e83ad263a0f142e2218bc

SHA512
0f9eebca4fd79e77eaf454c387d8814eaf05c7155ea9387e179a53a4c0615110a2860c4a2e975257bf672049c63054641bbc3f9e47d55b0ac90beb8060b35b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6BE73709C7F4D409D3FEEFF27BA07C40

Filesize
471B

MD5
8660d321a2e1d0e6dde5afeab9c55d7c

SHA1
ffa525cdff07c08c0ced0eba95bab20de58fe824

SHA256
e12b0515c0c837d45d6bbad72777015d237679479378d993b635ec627d735bb6

SHA512
232813183cc0fd55779672505fa2f5d227ff64385441de7644782c8ffe03d153c10dae1748b7fd08b8a3a8850389e14ed85dbadcf51830b12f1b4ea0ade57cd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
8c452d5ac3781db1643194ad175437d8

SHA1
cb866d30a0451327c549aa3385a62086dbaa769f

SHA256
f4047e5bdd5d298cfe68123f691ddab992631d65f0846a025f8471c86e3b4e6b

SHA512
340366d94fdc07082e91bc56bb5bfbbca8340fc36bd360a3c1410b0c44dc14a832a0fc6fe1bf12bfd2265c7668669d04f9cee22e3de7e45a2e219c86158e9d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6BE73709C7F4D409D3FEEFF27BA07C40

Filesize
400B

MD5
bae3d042815728c6b4e98b6840e56e0a

SHA1
42d76d9e5cf77039f63bb3c2c8f6946cf92cb2b7

SHA256
f479a9354ff88aee837d32f0515a746841ba7a465033c2001dd47705b7aee3e3

SHA512
23792bbad407c5409f207f2f65604eee1fe68193399d3a36627b6ed615ad22037af9afe69daa35ab5433c695f87f8d2e9f1b1aa0121fd3a67cc77d8dd4ac3005

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
f9169c84ab84b6cc2d8f555941b2086a

SHA1
e2237e2323076fd96313e30b48cec28b3ecd676f

SHA256
c559f19c459421f32263a90537435d60c4b55182331c29919082cd1581afdd28

SHA512
9aaeb56c0b93a9ec81472f0de7dfcaf7bbd89c744255e6f73d19e8c2d0e7affcfc122a2a22ab1b62d4cc33ca1282e65c4df6f19e83ee437343d15813ebbfb8df

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7bfbc72d80f9ad3ca91bd95f9172f8e

SHA1
7e4b93fa8fad009915a46270235a91c2f115b0ed

SHA256
178aa8e0eaf727584fcfd3c0df83d1840f3c7a3fa4625e91cbae4cc18f431be8

SHA512
35958af5aedcf4a10181420e2d4a6f1f8ac36a707ba5c287fffbd4b8c2e85768f11cb7a17988f24998435826a6d68853e6e837f359afac3405522f66ac61451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zB4A7CAA8\Uninst.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA930.tmp

Filesize
87KB

MD5
48eaf9d4ccf75bc06bbc5d33e78b7fff

SHA1
c710753c265b148f27ff3f358bb0ee980ab46423

SHA256
9ae2608edd49d2c319bb7bcfc24550bd9fb88b2f100fe90222a6fc55ca43c589

SHA512
505f4366f7258df3a88af77dde8335709063dd43298bf0ff8529992d53a60ad8de7d7ac65533f1ffc3a7f3ad4ca3a04c85366bfb9a14b47221609e6d36951d77

Download Submit
C:\Windows\Installer\MSIF8E8.tmp

Filesize
181KB

MD5
785ee78478d43f00870e91fa96b94646

SHA1
97e3f06230bb97333db9574e56a187c2b5dfce50

SHA256
b8665993cd5f7224e35c122a5c1965f8c4f2b4d9d41f75160b515e66f9affc53

SHA512
d34cd716d1925c2286a0d75a4e31d8a3deaaf381322cbd1931d3e26a51addd1d37f6c72f6511f6e7058c8ad1f016f4fa26e9594b02bb7bbba874c1b2406ac3ed

Download Submit
C:\Windows\Installer\e57f5d9.msi

Filesize
2.5MB

MD5
22991d4ef03118107a943934d92319d1

SHA1
832ea164d844401f9eced5bf84d45ad4b273cf8c

SHA256
1d9f66794a5af4e409a6c6b32a14d674cc1ea96f69e2cf2acb3c7b997750d5f8

SHA512
79a87b895184188d987f9390f28c20ab4d999d953f9c3d3f92f9d0069a0dc6490c4ef69603e12b62554d809a08b97a79b12f98055b0ebc6a91d5215e3b95fd33

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
9a09b80972b164f71806e9c7b0a5a33b

SHA1
37e238ca8b8e7ce189d2899202378552e3b2ad44

SHA256
a0c912d1281b3e84c5479c39b1d0821dcef56a6576c131203cdd60a3f8da74a1

SHA512
fab78261e5d2f110fa8896dc75893be872c75df469ebcb513aabd4be6eac0bc98560a70dc435cc541554bff4119d8d7b6256e86cb36d4b38bbb2d500e0351655

Download Submit
\??\Volume{3f32ccb0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c519db17-337e-4a9e-b38d-13679c987f71}_OnDiskSnapshotProp

Filesize
6KB

MD5
1a88429151021492317d684ebb1225d1

SHA1
415ca42322cb33815a13c3668606fa33a4eaba3e

SHA256
438990463c779bae8c8f3aecd3b720c4da7776fc01f1312d4b0307785fb73c30

SHA512
963a3feb500b19b69476815a56851bf8375f4cd37783704efa06304163781c1c424522334ec1b9fb504fb8306a3f767c8a38a3fa029b719695f8e41fa1c7b933

Download Submit
memory/5112-95-0x00007FFA75770000-0x00007FFA76232000-memory.dmp

Filesize
10.8MB

Download
memory/5112-96-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/5112-97-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/5112-98-0x00007FFA75770000-0x00007FFA76232000-memory.dmp

Filesize
10.8MB

Download
memory/5112-99-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/5112-100-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/5112-101-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/5112-104-0x00007FF41BCF0000-0x00007FF41BD00000-memory.dmp

Filesize
64KB

Download
memory/5112-106-0x00007FFA75770000-0x00007FFA76232000-memory.dmp

Filesize
10.8MB

Download