947ec3e108a30209e6ca2dd11f8fec9e7c8a9698964c22c3f06e8923ab24f68d

Analysis

max time kernel
129s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeshLab2023.12d-windows.exe
Size

74.4MB
MD5

5943f4cf86930d8c3c2d939c0c9f32db
SHA1

3faa94ef5639946fccec663caced035a81dfd0d9
SHA256

947ec3e108a30209e6ca2dd11f8fec9e7c8a9698964c22c3f06e8923ab24f68d
SHA512

13978103f684f3e70d464b7272a00acac863cd39fa723c1d8732b20fbf04d29060c9f153d2e87e6a4e63efd7d89775077287b30fe0178175a252a60729478a01
SSDEEP

1572864:OXDALKordyLYGZxC/ED+5W4C+39xzXOS5Vag0TpCNV8PSDe:OEV8LlZxCjWvI9x55Ag0TpywH

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1de5e707-82da-4db6-b810-5d140cc4cbb3} = "\"C:\\ProgramData\\Package Cache\\{1de5e707-82da-4db6-b810-5d140cc4cbb3}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	780	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VCG\MeshLab\shaders\splatpyramid\shader_point_projection_color.vert	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\Qt5OpenGL.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsm\objectVSM.frag	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_sampling.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\imageformats\qgif.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_zh_TW.qm	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\reflexion_lines.gdp	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\ssao\ssao.frag	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\xerces-c_3_2.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\iconengines\qsvgicon.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\splatpyramid\shader_analysis_color.vert	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_createiso.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_fractal.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\imageformats\qwbmp.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\translations\qt_ja.qm	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\libEGL.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\meshlab-common-gui.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_layer.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\Cook-Torrance.vert	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsmb\objectVSM.frag	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\styles\qwindowsvistastyle.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\ExecWaitJob.nsh	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\d3dcompiler_47.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_screened_poisson.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_sdfgpu.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\io_base.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\render_gdp.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\translations\qt_cs.qm	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\vsm\depthVSM.frag	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\bearer\qgenericbearer.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\edit_quality.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\translations\qt_lv.qm	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_ssynth.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_voronoi.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\edit_align.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_measure.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_mutualglobal.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\io_tri.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\gooch.vert	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\splatpyramid\shader_phong.frag	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\vc_redist.x64.exe	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_create.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\translations\qt_da.qm	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\Cook-Torrance.vert	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\meshlab-common.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\io_u3d.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\bearer	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\shaders\decorate_shadow\sm\object.frag	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_fr.qm	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\edit_paint.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_geodesic.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\translations\qt_gd.qm	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\lattice.frag	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\lattice.gdp	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\xray.gdp	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\filter_ssynth.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\plugins\platforms\qwindows.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\imageformats\qgif.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\io_3ds.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\imageformats\qgif.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\shaders\reflexion_lines.vert	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\edit_sample.dll	MeshLab2023.12d-windows.exe
File created	C:\Program Files\VCG\MeshLab\plugins\filter_clean.dll	MeshLab2023.12d-windows.exe
File opened for modification	C:\Program Files\VCG\MeshLab\translations\qt_he.qm	MeshLab2023.12d-windows.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77ca8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77ca8f.msi	msiexec.exe
File created	C:\Windows\Installer\f77caa6.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77ca92.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77caa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI445E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77caa6.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f77ca92.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE59.tmp	msiexec.exe
File created	C:\Windows\Installer\f77caa2.msi	msiexec.exe
File created	C:\Windows\Installer\f77caa3.msi	msiexec.exe
File created	C:\Windows\Installer\f77cab9.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe

Executes dropped EXE 3 IoCs

pid	Process
2868	vc_redist.x64.exe
3052	vc_redist.x64.exe
1772	VC_redist.x64.exe

Loads dropped DLL 15 IoCs

pid	Process
628	MeshLab2023.12d-windows.exe
628	MeshLab2023.12d-windows.exe
628	MeshLab2023.12d-windows.exe
628	MeshLab2023.12d-windows.exe
1356	Process not Found
1356	Process not Found
1356	Process not Found
1356	Process not Found
628	MeshLab2023.12d-windows.exe
2868	vc_redist.x64.exe
3052	vc_redist.x64.exe
3052	vc_redist.x64.exe
592	VC_redist.x64.exe
628	MeshLab2023.12d-windows.exe
628	MeshLab2023.12d-windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\shell\open\command	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\DefaultIcon	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\DefaultIcon	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\shell\edit\command	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\VC_Runtime_Additional	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\edit\command	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{1CA7421F-A225-4A9C-B320-A36981A2B789}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\edit	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OBJ File	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\edit\ = "Edit FBX File"	MeshLab2023.12d-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\shell\edit\command	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\PackageCode = "5ED4A84E7A8511F4F91076B9DE989D70"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\shell\open\command	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\shell\edit\ = "Edit VMI File"	MeshLab2023.12d-windows.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File\shell\edit\ = "Edit STL File"	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ptx\ = "PTX File"	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\shell\edit	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\open\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.off	MeshLab2023.12d-windows.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File\shell\edit\command\ = "\"C:\\Program Files\\VCG\\MeshLab\\meshlab.exe\" \"%1\""	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmi\ = "VMI File"	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VMI File\ = "VMI File"	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\shell\edit\ = "Edit PTX File"	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\edit\command	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PLY File\shell\open\command	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\DefaultIcon	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\shell\edit\command	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FBX File\shell\open	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QOBJ File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OFF File\ = "OFF File"	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PTX File\shell\open	MeshLab2023.12d-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.stl\backup_val = "STLFile"	MeshLab2023.12d-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\STL File\DefaultIcon\ = "C:\\Program Files\\VCG\\MeshLab\\meshlab.exe,0"	MeshLab2023.12d-windows.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe
780	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1132	vssvc.exe
Token: SeRestorePrivilege	1132	vssvc.exe
Token: SeAuditPrivilege	1132	vssvc.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeShutdownPrivilege	1772	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1772	VC_redist.x64.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeSecurityPrivilege	780	msiexec.exe
Token: SeCreateTokenPrivilege	1772	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1772	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1772	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1772	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1772	VC_redist.x64.exe
Token: SeTcbPrivilege	1772	VC_redist.x64.exe
Token: SeSecurityPrivilege	1772	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1772	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1772	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1772	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1772	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1772	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1772	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1772	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1772	VC_redist.x64.exe
Token: SeBackupPrivilege	1772	VC_redist.x64.exe
Token: SeRestorePrivilege	1772	VC_redist.x64.exe
Token: SeShutdownPrivilege	1772	VC_redist.x64.exe
Token: SeDebugPrivilege	1772	VC_redist.x64.exe
Token: SeAuditPrivilege	1772	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1772	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1772	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1772	VC_redist.x64.exe
Token: SeUndockPrivilege	1772	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1772	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1772	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1772	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1772	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1772	VC_redist.x64.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe
Token: SeTakeOwnershipPrivilege	780	msiexec.exe
Token: SeRestorePrivilege	780	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 628 wrote to memory of 2868	628	MeshLab2023.12d-windows.exe	30
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 2868 wrote to memory of 3052	2868	vc_redist.x64.exe	31
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 3052 wrote to memory of 1772	3052	vc_redist.x64.exe	32
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1772 wrote to memory of 1652	1772	VC_redist.x64.exe	38
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 1652 wrote to memory of 592	1652	VC_redist.x64.exe	39
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40
PID 592 wrote to memory of 2724	592	VC_redist.x64.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MeshLab2023.12d-windows.exe
"C:\Users\Admin\AppData\Local\Temp\MeshLab2023.12d-windows.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files\VCG\MeshLab\vc_redist.x64.exe
  "C:\Program Files\VCG\MeshLab\vc_redist.x64.exe" /q /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Temp\{0558D190-6A74-4842-AC64-22F8FD1DF319}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{0558D190-6A74-4842-AC64-22F8FD1DF319}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\VCG\MeshLab\vc_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DEE7E6A3-4777-47D7-97C6-B2616FD17B65} {9BBE496D-F120-4537-8A5A-E918CA699A82} 3052
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=508 -burn.embedded BurnPipe.{46116B9A-CF97-4D79-A8D6-E5BCCEFDC539} {6DF5492F-AFF9-4F36-9E05-948CE7D36701} 1772
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=508 -burn.embedded BurnPipe.{46116B9A-CF97-4D79-A8D6-E5BCCEFDC539} {6DF5492F-AFF9-4F36-9E05-948CE7D36701} 1772
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{AA9F1368-222A-4DF3-AABD-464F8CF3C377} {3C4C1994-33D0-4D27-A030-6B31C12ADE4C} 592
        7⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000570" "00000000000002B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77ca95.rbs

Filesize
17KB

MD5
89c2d48cdd44533bbeeb8f373c6cfd80

SHA1
85ac6dc9b13f7aea9cf2bbf93d9cceb269f093a6

SHA256
874b7a9efa2b32ab3b4b13e00f33f842303845e482ace8a802a201b84f66a8fe

SHA512
040ec7e603debe6630b9511d8f80efe0ec63575392e6d11735c88d3309dee0ac756fd0060a1e09f683efbc5c0cc57250e4829105a7796e0027cfb3030d0c9039

Download Submit
C:\Config.Msi\f77caa1.rbs

Filesize
16KB

MD5
eeda52de768712257911226ac6979f4b

SHA1
a02831a3f340f47bf293b1c6fa8ca9342e4cb5ff

SHA256
1002399564ca56efcdad8daaf15ef3ceb7c1e8bb57c437d609708435f7a3951f

SHA512
0f1ef11d6dac11f308bf6a53701dac4554844027e4d0a18d2b910acba09896e5865a637c4107657203ec259cba99674232cbf846a2f9c07adfb37234be2080bd

Download Submit
C:\Config.Msi\f77caa9.rbs

Filesize
18KB

MD5
69f98210e4f2803fe5eb9177471e529e

SHA1
9a0ec4da9a45f7f62e46d8763a45debe65d8d2c2

SHA256
867819c878c2ae6371d0401d6be9c229490ba0f92a64f31d247a4b440f1a6cd5

SHA512
ab21cb8824d7e0851fc4b75da4155a3ed8ec5f2344e90c36797dcc92368ad6a3172a4d4202fc193680c8192cefdad2aea2fb4fc2f3cf3f85148651759d4a02f2

Download Submit
C:\Config.Msi\f77cab8.rbs

Filesize
17KB

MD5
cc642acca9cd311d678b1878368eb370

SHA1
46a0e0c512b7f6522f5de54f16f0a7f224e04333

SHA256
5a52ca960469a19e2fadf086adea8c253d512d18f0bd5ea792fda32067a63916

SHA512
50c7c50ae24dfa3831e2dc4e67ddfeddeb5fc30f84869a9934735ddebf05cb5c1da6454bf0468ad4e6c5e562599902eeed81c4867e8987d9e5bbdc8dade1728e

Download Submit
C:\Program Files\VCG\MeshLab\vc_redist.x64.exe

Filesize
8.4MB

MD5
d7dcabbbed614f49ee2a156416186588

SHA1
b03fa6992367eeefdfaac191b1c48bc99bccc9ac

SHA256
3e8e622de039dc5bf79a1aa20f251bdac2d7b22209e52ca6eb04ed39c3955a45

SHA512
a9b8592a03c0caff521ecb48e257aa4c9d288c2576d796dfbf479c62815aef5eaacc39244d627b77a978f67b1476e9d129cf39e2b6c0445a137709f13d0c3c28

Download Submit
C:\Program Files\VCG\MeshLab\vc_redist.x64.exe

Filesize
7.3MB

MD5
dc83c9caf33c6c1ce794e05ad2cef78d

SHA1
cbb326ec0f96acf40746dd8bf5fa62ab47efb3b8

SHA256
bef52b29fd6ae4c807a23915733fe5713adfecd4ecd0f32dbd66ebe38b745498

SHA512
6275d6ec9cec5a12dce581b80d89309f2153a38492250624d139e97bedba9a579ca1ef6e64aa9438e9f9e9132115b5b936808e1575de7fa47effa06c0fbfabd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9975a0fab473b56ffa2500925302c3b2

SHA1
e36689990a203817919e22abeb054382ebf5193a

SHA256
dab48a2e9b937ac550250b4e8970bc8fac5e1035a27649ce90c45d760853429b

SHA512
c2a6053fd376769e09284c0f2837c49b792a888ab88e6baedfd00d95347cf1fa3234bb4e32e1bbd15d8b0b6e35cd84ee602e6cea7ea5e971a32f4e5c86c1eb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCB4D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCBEC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF50.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240307090236_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
c8d330f232e89d77a0dcc32f20afcffc

SHA1
cc3a74ecc1c96dc8d5c84623fb4880cc954ccf57

SHA256
a53b7c48599e61cf569cb4999cba0cc983dd7236d772f7007e06489cc26b56dc

SHA512
88a873978cd6eca1186ad91da665d7ab225c2d57aedd71c045caf2f6232418ee137e8194eb0f639cc1bc34932f668f73a214c6c6b2c3686e31db6c6e9fab24f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240307090236_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
12d9e40e34ab6d52c109d5d86cf2a771

SHA1
402f9ec269793d965a6748511f5295d7901296cb

SHA256
07b49f29da07597d18c24e99ab9e06116e7487a2af7709cae438cb884a4053b2

SHA512
473e2d038547bf67fa3c30e28ef8b351f39e3efe52bd74de875db7eca317e65ca0d07aceaf66e2bea6802adb31bdb3ed385df86aff25103d5792ad66a65cba2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8FD.tmp\ioSpecial.ini

Filesize
1KB

MD5
d253e2a66ea56156e19ff41e13d3030c

SHA1
164656cf5b7091b2e3007b55f0a1a7b824c3a95b

SHA256
f897a947f272d867a3a8057fbb6997c6eb91bb3a731f945f6cd4f0e0afbad01c

SHA512
b595f0858b37ba3728ca5583582d4cacb65559e47bf906c22453df05a99cda4d39e308a51586ce17fdb96edd6455f5b70ffeff3725dcb4656d312a2d9048e4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA8FD.tmp\ioSpecial.ini

Filesize
1KB

MD5
8b68d33829057fc5d1256c4244149782

SHA1
72924bbeb58b22039c5dcc5e340bf5ab7194c403

SHA256
7c2bfb856ef28b52ad5fd6819e07bbb137e47c820b2a763bf76ff0d385855b6d

SHA512
4defc1da265ae9a293b401fe09fb5568d33e7ec7ad7f3191fb2452784e9766fb0a1fc61ae4f1957a959214b3e3055f39a1d6106bfb2f3d68ca7a4e3208d527b2

Download Submit
C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
e181a4fd7fc6a5a35d355efccb2c02d2

SHA1
762ded20d790e9342119f7578a4453ac512a0285

SHA256
e792f561821e193991fcc0c98038f0b0b905b0b0c67b55aaa1040d18652c6225

SHA512
8a8f04f5a044cfd126da9fafbdc86e74c7dc1624b241ed527e11bcdc389b8d9756c9fa6217b220e9aa49fb604285d8fb8c0dead91a7e456937e8b474000e32fe

Download Submit
C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\cab5046A8AB272BF37297BB7928664C9503

Filesize
958KB

MD5
b9c44fa1b63f24db5f63e4d5992428bc

SHA1
4b6b0db14c7444009b71a20cba406b27a03edaac

SHA256
dc862c89bccaeeb3b7ae04895377a6156dd81e0e1ff460b692f6cec51b865f4f

SHA512
0ce0612d528a237691d860c11a6f37555185871e80667a99ef23229496c87ddfeba13ef492eb330f3a75206e645e683617ff9d3b2a756d544af4d34ee8e3cd46

Download Submit
C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
ea980cf567e11691d1e4476eb46cf0b9

SHA1
a0520000ad102411c041fc44e333fa298e72b38f

SHA256
98c9604efcba36d02387a570ddf9697951fb8f625c5ce2471a2d4a573e962d23

SHA512
b07184932de406cc1df8ae3599d0418211f3b3f40711f743aa7534d06757794aa9f1b61f6b7fa85cd604f5e6eca7d08a04ec2d2c78c80fff5bdec2b772f5656d

Download Submit
C:\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
cde169db3e6657e49a923413bec65774

SHA1
6c57b389c08a0a3bd3c8919c2b546fb9e1ea7003

SHA256
6cf659c5d73f2ce102b60a64f820f57d598efbfb1e1a0f393a5df7f11bbc35c3

SHA512
d32b32ec275ea7befe7c63977cd300887bc88460d56c4fb848447c87006ead29fdb41c60688186d18bfac6ff6f0c8a441d1fb91765a4fda93824d4b61a4ae627

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
9aae39143706847b46d8809623e72f3f

SHA1
0fa1d6d2f2373b3d4e247ef6c3267e7bc0f4b73a

SHA256
1ad7b41ec79e3e3975b1433cb5a46e2ec2d9b9c01e4429e473eaf1c318dffd7e

SHA512
1507ef29979d51c2847f3b36a198024763947d76f0da5e2825495425f1d820c40d0dd895997bfaa1ee24d414f35f270813b35bda79d5a7a906496f3702bfee41

Download Submit
\Program Files\VCG\MeshLab\meshlab.exe

Filesize
1.3MB

MD5
07db51aab0ebb35420881c14dbacdc6b

SHA1
fc8fbb9786bce0b789120c3148228e8e118d90e1

SHA256
cb78595954840550a0ec05b365c1e1d9e5639ab4fc48491e692f3c0d44b5ec54

SHA512
f71cb69bf07370e2c9a64d155f6f8e1a59701382f486536664b198b721478fbe30f542c34f3de52036fbc6c05491f22294b1fe0e9783c7b498dc03265d996955

Download Submit
\Program Files\VCG\MeshLab\uninstall.exe

Filesize
53KB

MD5
8e229b3aaabfaf729056b0c4dbafca6c

SHA1
44c63046f53add0567e8ad1fe1b6f2909327c221

SHA256
efbb0805b5d25db9d79a4d74d58bcd9d4b59a71072a758d28f7f67fe58fcdef6

SHA512
f6ef3844794c8eac6c6b436f4a322137d895609d338ab08654b57ae9731c4194e3894e3abb3ec34e578d47f4a0908f5209da5520e167fc4f49d74772f6082ea1

Download Submit
\Program Files\VCG\MeshLab\vc_redist.x64.exe

Filesize
7.2MB

MD5
748079a3a433e92505895f5a9581719a

SHA1
a4ecd6fcaffa3f3e3b82c064f2bc63e50fe81a59

SHA256
ccd6b4ef2bf0767f3cb39c51cbfb5322a0c7a133a7cd5f977b9cb01b1769e98f

SHA512
d2a87d05f0e771d8986c47f143b2cba06f3aff7f1e4f8f7333c759abbcf869c755c32f21b1f756d40c6b8ea5ed8534be17e78ba4475250ea4ca0105335bdafc2

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8FD.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA8FD.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Windows\Temp\{0558D190-6A74-4842-AC64-22F8FD1DF319}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
53e9222bc438cbd8b7320f800bef2e78

SHA1
c4f295d8855b4b16c7450a4a9150eb95046f6390

SHA256
0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

SHA512
7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

Download Submit
\Windows\Temp\{D182C02D-1F42-4B38-BEB0-4443999F3473}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit