Analysis
-
max time kernel
206s -
max time network
217s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 11:40
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://games-blacksoft.com/keygen-riders-republic-serial-number-key-crack-pc/
Resource
win10v2004-20240226-en
General
-
Target
https://games-blacksoft.com/keygen-riders-republic-serial-number-key-crack-pc/
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\sv.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt msiexec.exe File created C:\Program Files\7-Zip\License.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\lij.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\hu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\fy.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ba.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\readme.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\descript.ion msiexec.exe File created C:\Program Files\7-Zip\Lang\pa-in.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\si.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ku-ckb.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\be.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\pt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\readme.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt msiexec.exe File created C:\Program Files\7-Zip\Lang\ga.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\th.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\kab.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\af.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\az.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt msiexec.exe -
Drops file in Windows directory 26 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll msiexec.exe File opened for modification C:\Windows\Installer\e5ab72c.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx msiexec.exe File created C:\Windows\Installer\e5ab77a.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000} msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx msiexec.exe File created C:\Windows\Installer\e5ab72c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx msiexec.exe File opened for modification C:\Windows\Installer\MSIBBA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0 msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 34 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 5352 msiexec.exe 5352 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5252 msiexec.exe Token: SeIncreaseQuotaPrivilege 5252 msiexec.exe Token: SeSecurityPrivilege 5352 msiexec.exe Token: SeCreateTokenPrivilege 5252 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5252 msiexec.exe Token: SeLockMemoryPrivilege 5252 msiexec.exe Token: SeIncreaseQuotaPrivilege 5252 msiexec.exe Token: SeMachineAccountPrivilege 5252 msiexec.exe Token: SeTcbPrivilege 5252 msiexec.exe Token: SeSecurityPrivilege 5252 msiexec.exe Token: SeTakeOwnershipPrivilege 5252 msiexec.exe Token: SeLoadDriverPrivilege 5252 msiexec.exe Token: SeSystemProfilePrivilege 5252 msiexec.exe Token: SeSystemtimePrivilege 5252 msiexec.exe Token: SeProfSingleProcessPrivilege 5252 msiexec.exe Token: SeIncBasePriorityPrivilege 5252 msiexec.exe Token: SeCreatePagefilePrivilege 5252 msiexec.exe Token: SeCreatePermanentPrivilege 5252 msiexec.exe Token: SeBackupPrivilege 5252 msiexec.exe Token: SeRestorePrivilege 5252 msiexec.exe Token: SeShutdownPrivilege 5252 msiexec.exe Token: SeDebugPrivilege 5252 msiexec.exe Token: SeAuditPrivilege 5252 msiexec.exe Token: SeSystemEnvironmentPrivilege 5252 msiexec.exe Token: SeChangeNotifyPrivilege 5252 msiexec.exe Token: SeRemoteShutdownPrivilege 5252 msiexec.exe Token: SeUndockPrivilege 5252 msiexec.exe Token: SeSyncAgentPrivilege 5252 msiexec.exe Token: SeEnableDelegationPrivilege 5252 msiexec.exe Token: SeManageVolumePrivilege 5252 msiexec.exe Token: SeImpersonatePrivilege 5252 msiexec.exe Token: SeCreateGlobalPrivilege 5252 msiexec.exe Token: SeBackupPrivilege 5560 vssvc.exe Token: SeRestorePrivilege 5560 vssvc.exe Token: SeAuditPrivilege 5560 vssvc.exe Token: SeBackupPrivilege 5352 msiexec.exe Token: SeRestorePrivilege 5352 msiexec.exe Token: SeShutdownPrivilege 5416 msiexec.exe Token: SeIncreaseQuotaPrivilege 5416 msiexec.exe Token: SeCreateTokenPrivilege 5416 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5416 msiexec.exe Token: SeLockMemoryPrivilege 5416 msiexec.exe Token: SeIncreaseQuotaPrivilege 5416 msiexec.exe Token: SeMachineAccountPrivilege 5416 msiexec.exe Token: SeTcbPrivilege 5416 msiexec.exe Token: SeSecurityPrivilege 5416 msiexec.exe Token: SeTakeOwnershipPrivilege 5416 msiexec.exe Token: SeLoadDriverPrivilege 5416 msiexec.exe Token: SeSystemProfilePrivilege 5416 msiexec.exe Token: SeSystemtimePrivilege 5416 msiexec.exe Token: SeProfSingleProcessPrivilege 5416 msiexec.exe Token: SeIncBasePriorityPrivilege 5416 msiexec.exe Token: SeCreatePagefilePrivilege 5416 msiexec.exe Token: SeCreatePermanentPrivilege 5416 msiexec.exe Token: SeBackupPrivilege 5416 msiexec.exe Token: SeRestorePrivilege 5416 msiexec.exe Token: SeShutdownPrivilege 5416 msiexec.exe Token: SeDebugPrivilege 5416 msiexec.exe Token: SeAuditPrivilege 5416 msiexec.exe Token: SeSystemEnvironmentPrivilege 5416 msiexec.exe Token: SeChangeNotifyPrivilege 5416 msiexec.exe Token: SeRemoteShutdownPrivilege 5416 msiexec.exe Token: SeUndockPrivilege 5416 msiexec.exe Token: SeSyncAgentPrivilege 5416 msiexec.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exepid process 5252 msiexec.exe 5416 msiexec.exe 5416 msiexec.exe 5416 msiexec.exe 5252 msiexec.exe 4216 msiexec.exe 4216 msiexec.exe 5252 msiexec.exe 4956 msiexec.exe 4956 msiexec.exe 5924 msiexec.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
msiexec.exedescription pid process target process PID 5352 wrote to memory of 3100 5352 msiexec.exe srtasks.exe PID 5352 wrote to memory of 3100 5352 msiexec.exe srtasks.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://games-blacksoft.com/keygen-riders-republic-serial-number-key-crack-pc/1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3360 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3720 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4552 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5536 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5448 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5944 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6036 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5720 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6236 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6136 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6368 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6544 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6524 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6924 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6964 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5ab72d.rbsFilesize
28KB
MD501bb95621c1ccd07e2755414866ae6f2
SHA1fc70323b4713e525bdb5700b38aa2e06c21bc4f6
SHA25626ab61033a4f18ba3149b937c3a2c67ebe81fae530826b23c9226a2a6b9f400d
SHA512f179d2f2c0f64b98b3ccff59826422f51c4797b49ee12e3ad92ee6c4bdb46da96c38bbcfeb2d084889282a132753c9b488b549803ab6deb76fd702184002c8d2
-
C:\Windows\Installer\e5ab77a.msiFilesize
1.8MB
MD550515f156ae516461e28dd453230d448
SHA13209574e09ec235b2613570e6d7d8d5058a64971
SHA256f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca
SHA51214593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
7.5MB
MD5a67bb19b6fef6c2c35364f3c2b29cb47
SHA15a3ae02997f0deb518b0e7ff145612651e77b8a5
SHA2567a1ad30b751a28959a9be92303b3539010f832f43eefe6d0a044c573a24d9e72
SHA5125931c0f3c2d01f14ae235e3e0d7713aa6f7bc59fb91f2c908f9c2facb665003d28793a6ef22ec7c631543019b29a22ec73e0b2562797f80a69a91e5c783c5b3b
-
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{300c9ed0-47cb-4549-a68a-f458e88f018f}_OnDiskSnapshotPropFilesize
6KB
MD588a27edfde3fdec29af4a34a5172c937
SHA13874ac180dac24ef4dc968daab403d22fe710258
SHA2566d41af1aed31d7c3a6e10ce8e75eba1d18d400caf64f36b945a29dafca829f02
SHA5122c3a65391e7b7bd19c0dfbecc8d78fb0c3b3bf5c3224f5bdb7f7915c0054b24706843a5da62a6708121256b387c6efc4de9ee6a9a59876a7017394e8479386aa