d9257dd481535be0e70e853e8b5c77eef940916291580f7299ddf61228765b93

Analysis

max time kernel
113s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
28-02-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hi-ResAudioRecorder_1.1.0.exe
Size

16.8MB
MD5

378495b8675cce81f65d46dddfe85cf2
SHA1

0826e5699a90544781f5fbbaca2a75af593c30ce
SHA256

d9257dd481535be0e70e853e8b5c77eef940916291580f7299ddf61228765b93
SHA512

76d7682d4673156644e22eeaae9467e7a7aa85d036ce207126b18fe5160ab8742a73e8c1279ddaa221be2069dfd4e8e7cb9d52a85307e88f8af51b00ebd9fd49
SSDEEP

393216:KtvV4qwg4LmaAVIkUHY8430AjP8oQPbLFab6:Ktyg4B8U484d89/f

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1408	Setup (x64).exe

Loads dropped DLL 5 IoCs

pid	Process
1008	Hi-ResAudioRecorder_1.1.0.exe
4668	MsiExec.exe
1760	MsiExec.exe
1244	MsiExec.exe
1760	MsiExec.exe

Registers COM server for autorun 1 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ = "C:\\Program Files\\Sony Corporation\\Sony Turntable Driver\\Sony Turntable Driver.dll"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\InprocServer32 = 360069006e00440026004e0065002d006100410077004a002a006e00680070002d00430062004f003e0028002500530053007a00340043006a005d00390041007e0030006d003f005e00250075004d00740000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{55E2D859-A1A9-4ED7-AA57-3211CE2F8A47} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Hi-ResAudioRecorder_1.1.0.exe\""	Hi-ResAudioRecorder_1.1.0.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\system32\Sony_Turntable_Coinst.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD35.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\Sony_Turntable_Driver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\Sony_Turntable_Driver.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sony_turntable_driver.inf_amd64_98e92a71bf615e8e\Sony_Turntable_Driver.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD35.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\Sony_Turntable_Driver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD47.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}	DrvInst.exe
File created	C:\Windows\system32\Sony Turntable Driver Control Panel.cpl	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD36.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD36.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a6cb8b07-e727-ed4b-8267-a862933a2074}\SETD47.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sony_turntable_driver.inf_amd64_98e92a71bf615e8e\Sony_Turntable_Driver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sony_turntable_driver.inf_amd64_98e92a71bf615e8e\Sony_Turntable_Driver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sony_turntable_driver.inf_amd64_98e92a71bf615e8e\Sony_Turntable_Driver.PNF	MsiExec.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony Turntable Driver Control Panel.exe	msiexec.exe
File created	C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony_Turntable_Driver.sys	msiexec.exe
File created	C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony_Turntable_Driver.cat	msiexec.exe
File created	C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony_Turntable_Driver.inf	msiexec.exe
File created	C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony Turntable Driver.dll	msiexec.exe
File created	C:\Program Files (x86)\Sony Corporation\PS-HX500\Sony Turntable Driver.dll	msiexec.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\1033.MST	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA15129D5724550A4.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\NewShortcut1_54A81116BDC8477998E28A025301E2EA.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEC670824D97C6E8B.TMP	msiexec.exe
File created	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7D3F156EEE3229A0.TMP	msiexec.exe
File created	C:\Windows\Installer\e590a38.mst	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB71.tmp	msiexec.exe
File created	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\NewShortcut1_54A81116BDC8477998E28A025301E2EA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e590a38.mst	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\SystemTemp\~DF87E58297FB366373.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e590a37.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0A63A0AE-E76D-4FD6-970E-8CC65857717B}	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\1033.MST	msiexec.exe
File created	C:\Windows\Installer\e590a37.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB02.tmp	msiexec.exe
File created	C:\Windows\Installer\e590a3a.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 47 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	MsiExec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cfb66584abbe87e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cfb665840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cfb66584000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcfb66584000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cfb6658400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	MsiExec.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\Transforms = "C:\\Windows\\Installer\\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\\1033.MST"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\ProductName = "Sony Turntable Driver"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\PackageName = "Setup (x64).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\InprocServer32 = 360069006e00440026004e0065002d006100410077004a002a006e00680070002d00430062004f003e0028002500530053007a00340043006a005d00390041007e0030006d003f005e00250075004d00740000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ = "C:\\Program Files (x86)\\Sony Corporation\\PS-HX500\\Sony Turntable Driver.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\ = "Sony Turntable Driver"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ = "C:\\Program Files\\Sony Corporation\\Sony Turntable Driver\\Sony Turntable Driver.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\InprocServer32 = 360069006e00440026004e0065002d006100410077004a002a006e00680070002d00430062004f003e0063002b00770048004800450029003100630040002c002400540075007a004c0046002a005400490000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EA0A36A0D67E6DF479E0C86C857517B7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EA0A36A0D67E6DF479E0C86C857517B7\SONY_TURNTABLE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\ProductIcon = "C:\\Windows\\Installer\\{0A63A0AE-E76D-4FD6-970E-8CC65857717B}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25FC87A9D8E43DC4891447ED854B7715\EA0A36A0D67E6DF479E0C86C857517B7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25FC87A9D8E43DC4891447ED854B7715	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\ = "Sony Turntable Driver"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E857555B-4773-4992-A1AE-3E558DFCC425}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\PackageCode = "AAD21607017310A4C845823503C41BB1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\Version = "16777217"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EA0A36A0D67E6DF479E0C86C857517B7\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	msiexec.exe
1004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1084	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1084	MSIEXEC.EXE
Token: SeSecurityPrivilege	1004	msiexec.exe
Token: SeCreateTokenPrivilege	1084	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1084	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1084	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1084	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1084	MSIEXEC.EXE
Token: SeTcbPrivilege	1084	MSIEXEC.EXE
Token: SeSecurityPrivilege	1084	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1084	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1084	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1084	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1084	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1084	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1084	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1084	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1084	MSIEXEC.EXE
Token: SeBackupPrivilege	1084	MSIEXEC.EXE
Token: SeRestorePrivilege	1084	MSIEXEC.EXE
Token: SeShutdownPrivilege	1084	MSIEXEC.EXE
Token: SeDebugPrivilege	1084	MSIEXEC.EXE
Token: SeAuditPrivilege	1084	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1084	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1084	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1084	MSIEXEC.EXE
Token: SeUndockPrivilege	1084	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1084	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1084	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1084	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1084	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1084	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1084	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1084	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1084	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1084	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1084	MSIEXEC.EXE
Token: SeTcbPrivilege	1084	MSIEXEC.EXE
Token: SeSecurityPrivilege	1084	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1084	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1084	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1084	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1084	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1084	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1084	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1084	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1084	MSIEXEC.EXE
Token: SeBackupPrivilege	1084	MSIEXEC.EXE
Token: SeRestorePrivilege	1084	MSIEXEC.EXE
Token: SeShutdownPrivilege	1084	MSIEXEC.EXE
Token: SeDebugPrivilege	1084	MSIEXEC.EXE
Token: SeAuditPrivilege	1084	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1084	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1084	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1084	MSIEXEC.EXE
Token: SeUndockPrivilege	1084	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1084	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1084	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1084	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1084	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1084	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1084	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1084	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1084	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1008	Hi-ResAudioRecorder_1.1.0.exe
1084	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1408	1008	Hi-ResAudioRecorder_1.1.0.exe	76
PID 1008 wrote to memory of 1408	1008	Hi-ResAudioRecorder_1.1.0.exe	76
PID 1008 wrote to memory of 1408	1008	Hi-ResAudioRecorder_1.1.0.exe	76
PID 1408 wrote to memory of 1084	1408	Setup (x64).exe	77
PID 1408 wrote to memory of 1084	1408	Setup (x64).exe	77
PID 1004 wrote to memory of 4668	1004	msiexec.exe	80
PID 1004 wrote to memory of 4668	1004	msiexec.exe	80
PID 1004 wrote to memory of 4668	1004	msiexec.exe	80
PID 1004 wrote to memory of 1412	1004	msiexec.exe	85
PID 1004 wrote to memory of 1412	1004	msiexec.exe	85
PID 1004 wrote to memory of 1760	1004	msiexec.exe	87
PID 1004 wrote to memory of 1760	1004	msiexec.exe	87
PID 1004 wrote to memory of 1244	1004	msiexec.exe	88
PID 1004 wrote to memory of 1244	1004	msiexec.exe	88
PID 2576 wrote to memory of 3420	2576	svchost.exe	90
PID 2576 wrote to memory of 3420	2576	svchost.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Hi-ResAudioRecorder_1.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\Hi-ResAudioRecorder_1.1.0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}\Setup (x64).exe
  "C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}\Setup (x64).exe" /l"1033" /v"ARPSYSTEMCOMPONENT=1"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SYSTEM32\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\Setup (x64).msi" ARPSYSTEMCOMPONENT=1 TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}" SETUPEXENAME="Setup (x64).exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 23CB6FFDCE442A7858530AEEA9CC578E C
  2⤵
  - Loads dropped DLL
  PID:4668
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1412
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DD0424327D85CD80E3C829455D7D14DB
  2⤵
  - Loads dropped DLL
  PID:1760
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 61ACAA2A6BB09E9C2F1874B24554216E E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:1244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony_Turntable_Driver.inf" "9" "46a670cd3" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Sony Corporation\Sony Turntable Driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e590a39.rbs

Filesize
725KB

MD5
ec32f5dfb37098cc914c925bdccd2ec7

SHA1
60aeb6e780c1697ca5736f6e1fad14dadf3728c3

SHA256
666f52401f503bb3377756414d44c21d82f6de3092a4b279fc244ff08635f128

SHA512
dd2aab01e8d417cdcac77ffbff87f90386d28413ca763a0855fd4f0a613c2e2160a2c4d97dbe5f06e9b800fdae680c20ef96eb9dccd7e9b40d30e42e4cca4e58

Download Submit
C:\PROGRA~1\SONYCO~1\SONYTU~1\Sony_Turntable_Driver.cat

Filesize
10KB

MD5
b2d6cd97a66895bcd1808fe45c0809fa

SHA1
a034301f61d522bdd28ed4518f9a746924856365

SHA256
fd851f2eee78866ff853c484e61a1215e0337061cc6e2f79cf743b9e9e555b9c

SHA512
c68bd879f84974b7b4f28069f44fa20f9d17d885524c79019fd96b054d0de3b5e56126051bf1a7bc2c6826e409878df741aa0b4ed8c6f7c93b6b53e49ca5fb8c

Download Submit
C:\PROGRA~1\SONYCO~1\SONYTU~1\Sony_Turntable_Driver.sys

Filesize
188KB

MD5
bd02a66017273494f44f10832276bf92

SHA1
14748527deb3248e3fb85af42ad1ec0bd1789fee

SHA256
1154a7e70169eb45ef7f62b0a118afa37cd3af3c3fa6398034b1739689bd6fe7

SHA512
659757b143b5a10fcc262a4fb3db3da5fc36441455452ab200a35c0657828dc34ac5a76cc7501331be9fe3b8c4c8e33235946b1977c286b4489fd7ba43711631

Download Submit
C:\Program Files\Sony Corporation\Sony Turntable Driver\Sony_Turntable_Driver.inf

Filesize
4KB

MD5
139f68dc15a114bc48683c3f6bbdd026

SHA1
5988952ba06462c4f34da17c88d90acd639b4f4c

SHA256
b1ec7b279b0507b1e957df4fd8c541ba1e5bf9ae17d5ef9ba0779bae3b11c2c5

SHA512
7b93b8dc8998243712e6d7c2506b4b21d3c62c2fb773eab5da330899744176fb31a8e9990329ed43ba5fa752e70131f9c2e3586a868793020660d1b5a82dcb2d

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}\Setup (x64).exe

Filesize
4.1MB

MD5
4ab62030ebdec3c06776d9cbdf9203ad

SHA1
14b9412e33611ca7750ecb83adac06bf1bf3a35b

SHA256
c805735edb6474afb48ace27a30614346c1617e95907aecbd0f1a648288c0f2c

SHA512
afdde898d57f9d2963bc81f207e5f4ae7e0844af2d6ed5ebff6e6c262a561523f58e91ffc6ab06662b34fad29bda745df930a68df4d5c7655d99a0fd573d2e29

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}\Setup (x64).exe

Filesize
2.4MB

MD5
f7d31dd1026b52675774d0243f53c252

SHA1
29cd8ab9e6a01be0e0e327f0071799318542b17b

SHA256
bafea9bffc244ce5c4303ef8be395e02c0ea5c42936f98a8091c65b7d822eb37

SHA512
7c14d2cb53a898abe038a03ac90ebbdea43af192b10c4cede3c2f353ae8b5304aea4fd7132a70d7a16b32d14e2884e88e41e23580147e04a00a08c05bf3cad2d

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{6459E4EA-D4AF-4866-ABD0-28D015B68466}\Setup (x64).exe

Filesize
1.7MB

MD5
40613f92903b248aee9e0416b56d294d

SHA1
a01936aeab25c8b69d3f168307cf1f098bd86345

SHA256
24c07c7722df31d5bee0dc4658d26ff1fa83b4f4d33143b4ff061ded76f4107b

SHA512
9b393fe506543c0afb2cc7da3f1429172aabf43e616346ea6283beb4918e2e431191391d6e6628aff4efbf349dcdd89f078b52c65619eaf25a91636e63d4756e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICF70.tmp

Filesize
151KB

MD5
147b7f7427d9ffe61ea784c3b5e245c8

SHA1
2ccf676aa59561f0f30fcd04d5df48831054cb3e

SHA256
68653956ea7674ec9e8e643b573c9c8fbee00b7d07d4fc89fb0e233844c68683

SHA512
7a63e0d33d462fb73b6ec57ef2b1c4a21d873694e4d5e37f86b34fb33392d760d4c1d2aea313246a2618e2dd4537afcfc8006daebf8c1abc26435bc462d2b53c

Download Submit
C:\Users\Admin\AppData\Local\Temp\issBB5E.tmp

Filesize
2.5MB

MD5
9d115fd010ea7ec04b028a0fd437bcc2

SHA1
739c4b5d1c87603236ab5015c61e44d0efb0e582

SHA256
f281de841cc65a2ec5d2533509e16ce0d8dac164359279c7ceff7e82f1b4a1f2

SHA512
b6bb0f7811e4136cb64edfa70fe8ede7a6d517b35178d2ad741c776c411448673edc68bd0b9151d5e804020f4f895d05a25d0653e518354c469349db414e98ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\1033.MST

Filesize
28KB

MD5
7aab2c00081bc5f62d63cf2dfe82020f

SHA1
3abb4dd7e3e9429c0bc50c145415b6e76eddb12e

SHA256
04d1e21d75bb73b25b9e9571eff091f5a4cbb837aeaa15cca8e30040b154bb13

SHA512
48a94c6a728aef8679f3677852474c2f3c27df3f3fd1063d66d39956bb716ee0e24c6d19ebf5385c391e5df0aef46c012c948d11ae42a4bbab5c70f86f77b548

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\Setup (x64).msi

Filesize
5.3MB

MD5
1fa8772cd166d5162710bb77460560e5

SHA1
2c9ff0fd72e4ebf5da1f4d654790ad6347e96927

SHA256
c9f6e3dd863464138663c42395cf0afff3a2c71e9664f907ee8a3f7c929cbba6

SHA512
2ed6ac990dd1eb6f3913fc5f3c97f38b831ec8fbc8afd29b90745452b34d8a25dcf292122cdee2a4692b05be6c565c88a1bca75408db43e3370ac17d86003da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1988081C-04B2-4240-8B61-AF0F986CAB3E}\_ISMSIDEL.INI

Filesize
5KB

MD5
c143e42ed9fec68373373a31c6ae278c

SHA1
2583b0456e44048629612b3cb663ead06ca9bfd6

SHA256
36c8d7aca455e0a101183e557371d573887aff3ed6eb057ad479712981fa7b9d

SHA512
1e47691c5eca8a05839fe44ae62ea970b30324cfa36515564a15772471ceed6de05be1c337fef74d0dcfeea077d703456aa9ad85a9fcbdbb707b95605ec8d19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\Application.png

Filesize
6KB

MD5
1033abd7c9518ded3593e01673aab9b9

SHA1
ada84fce4e9d9239c84cae85e8c74c2baf1fc3f8

SHA256
c653f45db5b738c6004656d81f78c7312dd9d7a6a57743da4e47dd42abaa2254

SHA512
0a83038f6b71555378206cb1d250ac60b29f5071a3df0eef9aae3697123573d54266ead2684f9c165657224cf4b365ed2d0ed245c22084cbdbc96d32def1a86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\ISLogoBig.png

Filesize
10KB

MD5
f532199104fce73d0c1fae9e064425d0

SHA1
64d2e1715869db1130c36446ae8e2371c02f5a4c

SHA256
caffb135967de9edcdc5ac87d1aa81e83f82307dbd4bd8ec732b9be777479623

SHA512
ef9558e62eaa094babbcdd4bf45b6f0296d08a4be2fd9bf0cfff22ddae0899735310bcf4bfb8c8d78d78addd3ca88840c5c753246b15226005e9f45079eb5875

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\ISLogoSmall.png

Filesize
3KB

MD5
677769a671b5d2032f2a96bc04266255

SHA1
7c5f177dd4b8c7ce2b8b90543cd51728ea83c05f

SHA256
4e3baabedbbecba69f1cda02ee89f4d4a8dac00737dc3f523a1f275be12dced6

SHA512
50ee84991c4761052aca2ba9dacbda020430d9262be51ed66c27305732ab4b8388693b8063b47999d7cb3043e725eec65491c578d1706773ac43f5443fdbaf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\Setup_UI.dll

Filesize
918KB

MD5
9892297dba11129b5e49175757467172

SHA1
809defd49f3a7517ee5e232a16c3a2f6a8b18e54

SHA256
d03049b5fdf24866cbd6b7740ca17ec6ac0779c3fcb1a23f3b518e32dd7cb4fa

SHA512
2cbc8e9d7d494b4c00eb14c0cd093505d8d45c73bde82e00ed1b7261230322b7e72059d4fae12099ac7db8162e13fae43d509033ce886c118064467341c7a31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\_is56DA

Filesize
773B

MD5
e33e7eaa5f230df5ab882c1854de71cb

SHA1
85afd57c1cd350a0556287b8cee86e2485d3ad03

SHA256
0d926c7e98b310500a3453e4aa4bedc78922544d6c4afbcf9b396b427bc3ca98

SHA512
44b5f22f7269a730110ca15c4682ffc6f43050ffcae1104577da2b6793ad4f8a886ed6df23aa6c3717001032cef73fb5f7f1068a1e2e8149b1f4039f5c686a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{35807C4E-B623-4377-9E42-CA5155566B68}\_is56DA

Filesize
1KB

MD5
6df1a47b29fa8291b7a309b5ffbac8ed

SHA1
bda811e5c4f780df885f76942d662e3b5509cd52

SHA256
aa23055ec3e0270a30f71169002560910f2e551eb5eff74f95608d7e74fe17aa

SHA512
805263ea88fdffdcff3d717c6bb5ac73c2a97509a5d457263edc838ef485a659b1f66e57420bd9722a50f303839cc8f633d5639d212c6f8de6ae83a2bbc0af9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~BA71.tmp

Filesize
5KB

MD5
6b1f571ef152b9eb08b52751188dfd43

SHA1
931c4083a83f7f5f495383a49c5512dc08917283

SHA256
2536b77e36c4e4b4c62b74ffffeaf2409c0766ae95ffcbab2caa765bbca51047

SHA512
b3d139c1ba5187e893c8cac1b39b870a6c2e55f61a2fa90db23192977fc2a9e204e6efce404f398ce7c02c4469957ea5efe8a57a6e093e3bf4f7e4127cfa1fab

Download Submit
C:\Windows\Installer\MSIB71.tmp

Filesize
152KB

MD5
573f48ab3fcf79ae1c3e22b2467df013

SHA1
80c8ee6d6b2256e86f5f4b831fe18be462559473

SHA256
a7ba6c079eb882672fcb3409ac054c1d555217a2a764072c413c5ca0fe5eb176

SHA512
6de9c0e66fb06bfc7a0d8126d946c96e82d55228f57d08df9436f05e2ff873cbfacf39a5b161e310ad638344d4c49272a418cc07fd408af451864e2ce1a96c69

Download Submit
C:\Windows\Installer\MSIC8B.tmp

Filesize
706KB

MD5
89596bcc6b7add0a805c9f7a2ec120de

SHA1
e576a07e09df2bd69773334189c431b2369d1f93

SHA256
eb2aaf64e9f74ee1c1d687777bdfe9911989059d04e980685c9350153b6bc677

SHA512
0e72e53ba512f10af5b75f2651d5d481d455a2d67b412a4fc7a2a3c2ef086953322f54b3ba0f9d3f3e27b964f6a75c16087f98d721342f719e217bb39f0d780d

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
2KB

MD5
8b7a8a8f549e326f5d302870543cf22f

SHA1
d7af8b189c9e1cb28e05a48127593eee26b6763b

SHA256
c6ee9ca0c86c817534f63298b1ce2e60ed9f393113fe3e4c255883249f2482b2

SHA512
ba94d96b0d119dca2a3597d3bcc0eae28a131a58ce21f904489add66a7c61b0c8d74271366024a874423185f3d5d2d8e4139649c80d64c1df5d6e60051fe19ae

Download Submit
memory/1008-25-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/1008-24-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download