hxxps://games-blacksoft[.]com/keygen-riders-republic-serial-number-key-crack-pc/

General

Target

https://games-blacksoft.com/keygen-riders-republic-serial-number-key-crack-pc/

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	msiexec.exe
File created	C:\Program Files\7-Zip\License.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\si.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\be.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\th.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\af.txt	msiexec.exe
File created	C:\Program Files\7-Zip\Lang\az.txt	msiexec.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	msiexec.exe

Drops file in Windows directory 26 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ab72c.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File created	C:\Windows\Installer\e5ab77a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File created	C:\Windows\Installer\e5ab72c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 34 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

5352 msiexec.exe
5352 msiexec.exe

pid	process
5352	msiexec.exe
5352	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	5252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5252	msiexec.exe
Token: SeSecurityPrivilege	5352	msiexec.exe
Token: SeCreateTokenPrivilege	5252	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5252	msiexec.exe
Token: SeLockMemoryPrivilege	5252	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5252	msiexec.exe
Token: SeMachineAccountPrivilege	5252	msiexec.exe
Token: SeTcbPrivilege	5252	msiexec.exe
Token: SeSecurityPrivilege	5252	msiexec.exe
Token: SeTakeOwnershipPrivilege	5252	msiexec.exe
Token: SeLoadDriverPrivilege	5252	msiexec.exe
Token: SeSystemProfilePrivilege	5252	msiexec.exe
Token: SeSystemtimePrivilege	5252	msiexec.exe
Token: SeProfSingleProcessPrivilege	5252	msiexec.exe
Token: SeIncBasePriorityPrivilege	5252	msiexec.exe
Token: SeCreatePagefilePrivilege	5252	msiexec.exe
Token: SeCreatePermanentPrivilege	5252	msiexec.exe
Token: SeBackupPrivilege	5252	msiexec.exe
Token: SeRestorePrivilege	5252	msiexec.exe
Token: SeShutdownPrivilege	5252	msiexec.exe
Token: SeDebugPrivilege	5252	msiexec.exe
Token: SeAuditPrivilege	5252	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5252	msiexec.exe
Token: SeChangeNotifyPrivilege	5252	msiexec.exe
Token: SeRemoteShutdownPrivilege	5252	msiexec.exe
Token: SeUndockPrivilege	5252	msiexec.exe
Token: SeSyncAgentPrivilege	5252	msiexec.exe
Token: SeEnableDelegationPrivilege	5252	msiexec.exe
Token: SeManageVolumePrivilege	5252	msiexec.exe
Token: SeImpersonatePrivilege	5252	msiexec.exe
Token: SeCreateGlobalPrivilege	5252	msiexec.exe
Token: SeBackupPrivilege	5560	vssvc.exe
Token: SeRestorePrivilege	5560	vssvc.exe
Token: SeAuditPrivilege	5560	vssvc.exe
Token: SeBackupPrivilege	5352	msiexec.exe
Token: SeRestorePrivilege	5352	msiexec.exe
Token: SeShutdownPrivilege	5416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5416	msiexec.exe
Token: SeCreateTokenPrivilege	5416	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5416	msiexec.exe
Token: SeLockMemoryPrivilege	5416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5416	msiexec.exe
Token: SeMachineAccountPrivilege	5416	msiexec.exe
Token: SeTcbPrivilege	5416	msiexec.exe
Token: SeSecurityPrivilege	5416	msiexec.exe
Token: SeTakeOwnershipPrivilege	5416	msiexec.exe
Token: SeLoadDriverPrivilege	5416	msiexec.exe
Token: SeSystemProfilePrivilege	5416	msiexec.exe
Token: SeSystemtimePrivilege	5416	msiexec.exe
Token: SeProfSingleProcessPrivilege	5416	msiexec.exe
Token: SeIncBasePriorityPrivilege	5416	msiexec.exe
Token: SeCreatePagefilePrivilege	5416	msiexec.exe
Token: SeCreatePermanentPrivilege	5416	msiexec.exe
Token: SeBackupPrivilege	5416	msiexec.exe
Token: SeRestorePrivilege	5416	msiexec.exe
Token: SeShutdownPrivilege	5416	msiexec.exe
Token: SeDebugPrivilege	5416	msiexec.exe
Token: SeAuditPrivilege	5416	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5416	msiexec.exe
Token: SeChangeNotifyPrivilege	5416	msiexec.exe
Token: SeRemoteShutdownPrivilege	5416	msiexec.exe
Token: SeUndockPrivilege	5416	msiexec.exe
Token: SeSyncAgentPrivilege	5416	msiexec.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

pid	process
5252	msiexec.exe
5416	msiexec.exe
5416	msiexec.exe
5416	msiexec.exe
5252	msiexec.exe
4216	msiexec.exe
4216	msiexec.exe
5252	msiexec.exe
4956	msiexec.exe
4956	msiexec.exe
5924	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 5352 wrote to memory of 3100	5352	msiexec.exe	srtasks.exe
PID 5352 wrote to memory of 3100	5352	msiexec.exe	srtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://games-blacksoft.com/keygen-riders-republic-serial-number-key-crack-pc/
1⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3360 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3720 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4552 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5536 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5448 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5944 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6036 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5720 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6236 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6136 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6368 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6544 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6524 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6924 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:1
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6964 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:3332

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5252

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5352

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6040

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5416

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4216

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5924

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ab72d.rbs
Filesize
28KB

MD5
01bb95621c1ccd07e2755414866ae6f2

SHA1
fc70323b4713e525bdb5700b38aa2e06c21bc4f6

SHA256
26ab61033a4f18ba3149b937c3a2c67ebe81fae530826b23c9226a2a6b9f400d

SHA512
f179d2f2c0f64b98b3ccff59826422f51c4797b49ee12e3ad92ee6c4bdb46da96c38bbcfeb2d084889282a132753c9b488b549803ab6deb76fd702184002c8d2

Download Submit
C:\Windows\Installer\e5ab77a.msi
Filesize
1.8MB

MD5
50515f156ae516461e28dd453230d448

SHA1
3209574e09ec235b2613570e6d7d8d5058a64971

SHA256
f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca

SHA512
14593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
7.5MB

MD5
a67bb19b6fef6c2c35364f3c2b29cb47

SHA1
5a3ae02997f0deb518b0e7ff145612651e77b8a5

SHA256
7a1ad30b751a28959a9be92303b3539010f832f43eefe6d0a044c573a24d9e72

SHA512
5931c0f3c2d01f14ae235e3e0d7713aa6f7bc59fb91f2c908f9c2facb665003d28793a6ef22ec7c631543019b29a22ec73e0b2562797f80a69a91e5c783c5b3b

Download Submit
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{300c9ed0-47cb-4549-a68a-f458e88f018f}_OnDiskSnapshotProp
Filesize
6KB

MD5
88a27edfde3fdec29af4a34a5172c937

SHA1
3874ac180dac24ef4dc968daab403d22fe710258

SHA256
6d41af1aed31d7c3a6e10ce8e75eba1d18d400caf64f36b945a29dafca829f02

SHA512
2c3a65391e7b7bd19c0dfbecc8d78fb0c3b3bf5c3224f5bdb7f7915c0054b24706843a5da62a6708121256b387c6efc4de9ee6a9a59876a7017394e8479386aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads