4be0579caced466793d2cecf8332596122761c0f85dcb1149a553cf64ad3108f

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MiniMeters-Setup-0.8.17.exe
Size

28.8MB
MD5

3e67c0738f2cad77dd97c7e562b3df91
SHA1

41bdb40130355006abc7a2111908a2e05853a720
SHA256

4be0579caced466793d2cecf8332596122761c0f85dcb1149a553cf64ad3108f
SHA512

8acdc88c80626fc923b22febc92aa6cb0bb701737faddfd6b4ec1299a9b03d3776bbb38af293c1493e34f9a1e716ade535af176c2d97c345af52e405b7e75d98
SSDEEP

786432:3OZWTstUVwIWzalbYXHuBvP57VrRu3mP+9ZTiYWb:KWTstUVwZ2bYXOBvB7wp9ZTi

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2516	MiniMeters-Setup-0.8.17.tmp
1652	vc_redist.x64.exe
856	vc_redist.x64.exe
3020	VC_redist.x64.exe

Loads dropped DLL 12 IoCs

pid	Process
3028	MiniMeters-Setup-0.8.17.exe
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
2516	MiniMeters-Setup-0.8.17.tmp
1652	vc_redist.x64.exe
856	vc_redist.x64.exe
856	vc_redist.x64.exe
568	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1de5e707-82da-4db6-b810-5d140cc4cbb3} = "\"C:\\ProgramData\\Package Cache\\{1de5e707-82da-4db6-b810-5d140cc4cbb3}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2380	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\CLAP\is-6FST9.tmp	MiniMeters-Setup-0.8.17.tmp
File opened for modification	C:\Program Files\MiniMeters\unins000.dat	MiniMeters-Setup-0.8.17.tmp
File opened for modification	C:\Program Files\MiniMeters\libssl-3-x64.dll	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-0485R.tmp	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-B3B5J.tmp	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-G4AAU.tmp	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\Common Files\VST3\MiniMetersServer.vst3\Contents\x86_64-win\is-L22JH.tmp	MiniMeters-Setup-0.8.17.tmp
File opened for modification	C:\Program Files\MiniMeters\SDL2.dll	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\unins000.dat	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\Common Files\VST3\MiniMetersServer.vst3\Contents\Resources\is-H74H7.tmp	MiniMeters-Setup-0.8.17.tmp
File opened for modification	C:\Program Files\MiniMeters\libcrypto-3-x64.dll	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-5SPRL.tmp	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-4JT2J.tmp	MiniMeters-Setup-0.8.17.tmp
File opened for modification	C:\Program Files\MiniMeters\MiniMeters.exe	MiniMeters-Setup-0.8.17.tmp
File created	C:\Program Files\MiniMeters\is-N7GFV.tmp	MiniMeters-Setup-0.8.17.tmp

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA965.tmp	msiexec.exe
File created	C:\Windows\Installer\f7787c9.msi	msiexec.exe
File created	C:\Windows\Installer\f7787ca.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7787ca.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7787b6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7787cd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7787b9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAACE.tmp	msiexec.exe
File created	C:\Windows\Installer\f7787e0.msi	msiexec.exe
File created	C:\Windows\Installer\f7787b6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA22F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7787b9.ipi	msiexec.exe
File created	C:\Windows\Installer\f7787cd.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1247AC1522AC9A43B023A96182A7B98\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{1CA7421F-A225-4A9C-B320-A36981A2B789}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1247AC1522AC9A43B023A96182A7B98\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Version = "237404522"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{1de5e707-82da-4db6-b810-5d140cc4cbb3}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1247AC1522AC9A43B023A96182A7B98	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\PackageCode = "2C7C7BC2C76DA7344888641520BBF8D6"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\PackageCode = "5ED4A84E7A8511F4F91076B9DE989D70"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Version = "237404522"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1247AC1522AC9A43B023A96182A7B98\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{1CA7421F-A225-4A9C-B320-A36981A2B789}v14.38.33130\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.38.33130"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1CA7421F-A225-4A9C-B320-A36981A2B789}v14.38.33130\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe
2380	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeRestorePrivilege	2724	DrvInst.exe
Token: SeLoadDriverPrivilege	2724	DrvInst.exe
Token: SeLoadDriverPrivilege	2724	DrvInst.exe
Token: SeLoadDriverPrivilege	2724	DrvInst.exe
Token: SeShutdownPrivilege	3020	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	3020	VC_redist.x64.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeCreateTokenPrivilege	3020	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	3020	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	3020	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	3020	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	3020	VC_redist.x64.exe
Token: SeTcbPrivilege	3020	VC_redist.x64.exe
Token: SeSecurityPrivilege	3020	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	3020	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	3020	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	3020	VC_redist.x64.exe
Token: SeSystemtimePrivilege	3020	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	3020	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	3020	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	3020	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	3020	VC_redist.x64.exe
Token: SeBackupPrivilege	3020	VC_redist.x64.exe
Token: SeRestorePrivilege	3020	VC_redist.x64.exe
Token: SeShutdownPrivilege	3020	VC_redist.x64.exe
Token: SeDebugPrivilege	3020	VC_redist.x64.exe
Token: SeAuditPrivilege	3020	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	3020	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	3020	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	3020	VC_redist.x64.exe
Token: SeUndockPrivilege	3020	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	3020	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	3020	VC_redist.x64.exe
Token: SeManageVolumePrivilege	3020	VC_redist.x64.exe
Token: SeImpersonatePrivilege	3020	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	3020	VC_redist.x64.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp
2516	MiniMeters-Setup-0.8.17.tmp

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 3028 wrote to memory of 2516	3028	MiniMeters-Setup-0.8.17.exe	28
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 2516 wrote to memory of 1652	2516	MiniMeters-Setup-0.8.17.tmp	36
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 1652 wrote to memory of 856	1652	vc_redist.x64.exe	37
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 856 wrote to memory of 3020	856	vc_redist.x64.exe	38
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 3020 wrote to memory of 2556	3020	VC_redist.x64.exe	44
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 2556 wrote to memory of 568	2556	VC_redist.x64.exe	45
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46
PID 568 wrote to memory of 2560	568	VC_redist.x64.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.17.exe
"C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\is-RKQER.tmp\MiniMeters-Setup-0.8.17.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RKQER.tmp\MiniMeters-Setup-0.8.17.tmp" /SL5="$400F4,29353594,831488,C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.17.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe" /install /passive /q /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\Temp\{5611820D-376E-4A2A-9F8E-CAC3FA94B144}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{5611820D-376E-4A2A-9F8E-CAC3FA94B144}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /passive /q /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D065BF3A-A722-44B3-9B95-2AC93915E546} {9B084182-90A0-4039-A722-B2A46672E64C} 856
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=500 -burn.embedded BurnPipe.{E9267E05-5E99-4B66-A695-457882252C2E} {CD3A768D-7CE5-416C-8E38-9E6647297EFA} 3020
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=500 -burn.embedded BurnPipe.{E9267E05-5E99-4B66-A695-457882252C2E} {CD3A768D-7CE5-416C-8E38-9E6647297EFA} 3020
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{89FF21E4-5339-41AA-A4E7-16F8415052F0} {CC770F4C-A4FF-46E1-BAED-BB422EEF79D5} 568
        8⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2560

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "0000000000000350"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7787bc.rbs

Filesize
17KB

MD5
687157824dd50bfddf39c84a6983de11

SHA1
eb08255c65e340c5608a7dd090f1673a6a49bd4d

SHA256
b5156f7325b74c119c50e649ef755739545032fc72422f35d4beca175234d7db

SHA512
492518f39c8a9ea23dda632c81765d770450bdd1e09022694a43c7842b9881befd9e46d6a73fa34e78efbad3bff54252f750767f081dd1d791105e72021db2bf

Download Submit
C:\Config.Msi\f7787c8.rbs

Filesize
16KB

MD5
8c66eeccc471377b4127f68577427b65

SHA1
71d1091ab2eac9e5a453339920d5860b43fbd86c

SHA256
36f5c8eedf3231b643be1c8ec70732595dd0f8e73b20c9527236041e357c3a8e

SHA512
71fd6e807ac0982f3c7e7cbdb55f633b91801c15cf03941d6d28126fcce44efbeda8fe5211364c88592a6694ed7a617cf0194506b4ad568e35e7dacbcdaa6cf2

Download Submit
C:\Config.Msi\f7787d0.rbs

Filesize
18KB

MD5
2299590ecde815d03dcf486fb8d77e26

SHA1
852f9682ced426df965434a146b6197d25e3998a

SHA256
8cf38ea6a15884784989c170310d963c6ba683580d6d0984dc06816926ad33a5

SHA512
228b143ea3bc5b82ba370541ab62b8d8dd876b89be3f9714489483642c96a926d322dac697e69749ebef44f8e3f8175d97d2edb6fdd4e498f3d8679351d414d5

Download Submit
C:\Config.Msi\f7787df.rbs

Filesize
17KB

MD5
1503590ecd04699b4bddbe7ff7bb71a6

SHA1
ed2c1b657a02666800cd39b369032c6e9a9e5736

SHA256
b69ab1bf8e1e17ec495cfeb62b0f710de2c4be65093e3f8bb63c292638da4ec0

SHA512
4a1a7782a7e87cd9c4897720033e5c3a6515d94681c98fc0578ed5a8efabfdbc9236458364988b44edd672ff971ff765330939f5bea679bdd1af92ad9bd0837b

Download Submit
C:\Program Files\MiniMeters\MiniMeters.exe

Filesize
960KB

MD5
be324850ce9e18af098e038f480d4572

SHA1
91b96f3a2bf839fa3b616eb5ec757823fdefc7a0

SHA256
9707d65b2bca63d9cba9784363a827df922d803d517fcaa4bcedb69072b0e875

SHA512
b2157b6d903370b4480a8830fd4f0dd0146218b7b9d5490ed9f64f6e6035493f99ea269a4a3134350d71a10b233beec892950e10f26caafe8731309f0bac8d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59fe7bb59d01a61f6813db4bb52e8061

SHA1
d5e5d8a2ee30e87add6d277b163496635c839732

SHA256
867e2f12ce3faea49a7c054d8ef1d2effcbba9cc9e1ca5a13cca844f2cd60ae0

SHA512
1dfb4a80560390c01ea4c04b41ab7d979aadbc965f931b89fa767bf90b8bd5f572701ed4b939bf7f70f1d059407cc92376454e24cd5effef9600a4ee1f05a78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab87D7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E8D.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87EA.tmp

Filesize
112KB

MD5
97d41ccc3d6e9f8d4b5728822d94bec2

SHA1
f272feba96849797c92a117e393acc1decc57ead

SHA256
553cac12a10f89dc47309ea56562524361d28b1136f362b0940b37bf66a0b6d4

SHA512
6d2b438abc89c0ae7e1074ff230e6ba7a6d1095a6a32134a1db19a1830bfbb3954a037481c1c9cd5c4c391d762bd36a9ee599ad1e8219314daedf7e73c0818fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9EFD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240309192515_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
1742313d7a0470eae99b89c2c6b9ad75

SHA1
f9c300d7f026b584978afe42d1965a137cd0d0e8

SHA256
6c516d2f2cfef61fb6bb6263f54d8f71dc49314ca52d6813b5d5f29d45a09e5d

SHA512
478fc56276faadd4d2fb5260a5c64e14b7146fb17e8e9d1233741739a24ce17fe76e00fa1eea204ca3c798b0729e4c6b9e69ee30c5911a3c578f05c8110cccbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240309192515_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
8181147b3449d19f695721f3b3a4aa0f

SHA1
52a262c9798c88e9135839690b323fd8f53457cd

SHA256
b37c1ca3a903cd64c4415cbbee95384a116d7eae7e4b7749bcc627057e4d83d8

SHA512
104c43b45e20ffadb5164ba097d5cee4fd6d63217977b7bcee216805635873aa839004992041affe3301f19ac8e1f9490d921283c406fb8bd8cd2a3d340f6f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe

Filesize
2.6MB

MD5
62acb3b901e64f1b958e81ce08e4ab20

SHA1
4b066bd724bd8b8d31dae004245489444b2eb2e2

SHA256
3587086c51957ae89cb74bb137e8e564543b865ab17bd338d0e0f48cacf3a7e8

SHA512
114d6a42589b0c4a28e84d54834b0482070032495bde800be87ad52e8e8d5f16387285c865ea66b37819aea895fac6fe38b45e1e5c95015df59a7414f2829f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe

Filesize
3.0MB

MD5
c6a235b7358a2ccf16621834de877266

SHA1
d4cb017600a7310b6034085b5313e2d12d1fe460

SHA256
29aa8bfdbb529aca4cba235984afffa2c5e9fcd5fdf97f33e4383af8f2c841e0

SHA512
42924539d87ff1af91fe08dea2a758eee56987ac09bb40ab2cfb7bb6cdc4c7e06a038afe7b807368804b20330809dae3aa938a1ba99b8f7e3217fdbba02809f5

Download Submit
C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
524KB

MD5
06a328f60f41fe1f2196d3a6bc8e5b0a

SHA1
57040ea0ceeb9ff0315c0f05a26dd8f714d18ad8

SHA256
342529b53b776245a9601753f5666b79da53b62eeaf32a4a4db8065918e415d2

SHA512
7bd47555a9fb8cb1c6af773ce7b055a27bd7c196003a3533d8823e95c38376d45136fbf720b401097d5bcfa3d5dc5f8b72eb8517d5511196765685dcdb3e32eb

Download Submit
C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
391KB

MD5
9844c496ed1b7b06c52a7c60300b8041

SHA1
05a9814c8e539babe511440716ef93ad2b43a3b8

SHA256
48862c943a77ae4e1e345c413f392ea9b51c8d85e1bd395e57b6ad2f1bbec639

SHA512
3ac9ac0a1dbf7c4b98d32ef7529b2dbb95def33fb80295fd2f9f542b5da1fcbfe063ac117e1323065fd23cfabbc889caa1436d100b3aba36822fdeee879e36c9

Download Submit
C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
ea980cf567e11691d1e4476eb46cf0b9

SHA1
a0520000ad102411c041fc44e333fa298e72b38f

SHA256
98c9604efcba36d02387a570ddf9697951fb8f625c5ce2471a2d4a573e962d23

SHA512
b07184932de406cc1df8ae3599d0418211f3b3f40711f743aa7534d06757794aa9f1b61f6b7fa85cd604f5e6eca7d08a04ec2d2c78c80fff5bdec2b772f5656d

Download Submit
C:\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
cde169db3e6657e49a923413bec65774

SHA1
6c57b389c08a0a3bd3c8919c2b546fb9e1ea7003

SHA256
6cf659c5d73f2ce102b60a64f820f57d598efbfb1e1a0f393a5df7f11bbc35c3

SHA512
d32b32ec275ea7befe7c63977cd300887bc88460d56c4fb848447c87006ead29fdb41c60688186d18bfac6ff6f0c8a441d1fb91765a4fda93824d4b61a4ae627

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
e2869d48e403375e122b19a9dcec1f27

SHA1
566b02bbadd5ae6e2f05a121fa4cbefe3380e67d

SHA256
e178a0fb4a9fbb0140cf43b000f2f60ee3f774ede42024c8ec757f6868442f04

SHA512
856f5abeee2ef44331a4379a211157d59f06178876c47901ea01373af8e2ad5559541e73429afb53714d2a5f8a86ebc5e19db045e694f593ec798351f5ca8a6b

Download Submit
\Program Files\MiniMeters\MiniMeters.exe

Filesize
1.7MB

MD5
d812d49701546537c9feee7b32a84c15

SHA1
365e13bb405f9a5de091fbb9487f257acb1c31d5

SHA256
7571bfd2a93c54359b2e078ef1389dae3316ac040754f1f45576dc34196d9afb

SHA512
05a7171fe8a87c0502c9e9b8e5c8ca09ee16d7365fd9eb39724be27f8bb3f948e133de25f8eefb06c89808f385204a460b9b69e938f4d89b2dff8ffacb8eb6b0

Download Submit
\Program Files\MiniMeters\MiniMeters.exe

Filesize
834KB

MD5
4700bcf2fcab2c2cda817da6a0fbf8ea

SHA1
744d4691f2644f4faf7837eae89104055c3e6c7e

SHA256
80249c6e02ce2a7d26bfa5cd1aaa1ef373a2030cbf7dd5cabbb6052b990db504

SHA512
071221ab245db25e02ca665f8696e0866feee7413a19832ed808d1c4bcc3aa908b15bab354c97f05e25b7b9083c612ee1c84a9780c638569cb78c6ad6387dbe0

Download Submit
\Program Files\MiniMeters\MiniMeters.exe

Filesize
640KB

MD5
38c305fb1a87da5d6d809125b671ebf0

SHA1
bf8c3a6f045e8d7970a6e6c6b8f8e9dd03c2c4ef

SHA256
e9b632f389455d198b9bdaed29863e17f00e0813a91b4756bd5fd7ee01e2a474

SHA512
42dd27b6507a1e229995372e247c3264795a2e2d888ac0c5c6b76dff8d07dea2caeb03c01d2c957071010d4fee540f7b54e110f969daad98a79df82dccb4ae48

Download Submit
\Program Files\MiniMeters\MiniMeters.exe

Filesize
512KB

MD5
f2ac0e254353c89d5a5bc68148efaeb0

SHA1
0ebcb7f3301a41861bc3e68b6efcf241d5b7dbe4

SHA256
b961b25f13e20134f29f69520ec0e133e8350990ef2620e21e6000dc9a60c29b

SHA512
2169033f69d67c05c96df950f53c211b30f9fbd1fe89cbb81d58bd23eb4131dd8e1b734d3d6906962a19df50a44f2426b15ce9281e6b39f9d3bce8b21856a23e

Download Submit
\Users\Admin\AppData\Local\Temp\is-BGU03.tmp\vc_redist.x64.exe

Filesize
3.1MB

MD5
aca1de84fcfaac3a898fbdd2ac3504d6

SHA1
a90e0f77d00cf47d98f6059e5522ad427f1e7700

SHA256
f34126524fd51666c7d4627f5ee669fb8ec1c0027e5087d70df147bd92f75adf

SHA512
a9c6c8c1482b740c1ce95e44ec09008eaf5ec0c2e10b43018d1495bf500b05ac8e540878aa9a83d48eefbcc30c778bbd662246517a8fdf813326327b847d44f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-RKQER.tmp\MiniMeters-Setup-0.8.17.tmp

Filesize
3.0MB

MD5
34e2687b23136b3e3283138144e03e98

SHA1
f76e71aefd3e1f0e6d83b70dbf82e56c9e261dd9

SHA256
5c046f9c87dac065ea1239321d01bc2dc44cc60fc542839080bb966f7b1b1ddd

SHA512
4f9ec7c4a302f4dab77c722f4ad4749fa9e3d0c8481281d23ea4186331c71a3a96a9d1b225acd617376c5b3677e37816fa3edaf0346862689aff47eb5653d9dd

Download Submit
\Windows\Temp\{5611820D-376E-4A2A-9F8E-CAC3FA94B144}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
53e9222bc438cbd8b7320f800bef2e78

SHA1
c4f295d8855b4b16c7450a4a9150eb95046f6390

SHA256
0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

SHA512
7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

Download Submit
\Windows\Temp\{6DA8678E-A510-43CD-9504-C9FF6F35927E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/1292-525-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1880-526-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2516-11-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2516-24-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2516-22-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2516-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2516-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2516-521-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2516-523-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2516-121-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3028-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3028-524-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3028-1-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads