Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
Resource
win7-20240221-en
General
-
Target
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
-
Size
6.5MB
-
MD5
9e2b456c62b027c89b36dc9109e50f01
-
SHA1
617fddb80de29bc455c0ecfd4b64d194fe911541
-
SHA256
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
-
SHA512
18ee2debeac010286291d3af38b46cb29d2503e8056b5ab74120e6934e4b16396d894e323dc11eb5cd1902ea0c30fbac75f03dbda74ea670d3828d7b6318bf59
-
SSDEEP
98304:5p4wd88KSX2ylsm84rfq/03ZUVaxNv3DiPF1D/lAd3YR77vhBLAbRGH1oVda3WHx:Iwe8B21mNfq/0+IxgP5sE77vfLe04rs
Malware Config
Signatures
-
Babadeda Crypter 2 IoCs
resource yara_rule behavioral2/files/0x00070000000231e5-68.dat family_babadeda behavioral2/files/0x00070000000231f8-968.dat family_babadeda -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 2508 ICACLS.EXE 2896 ICACLS.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\k: csvhelper.exe File opened (read-only) \??\l: csvhelper.exe File opened (read-only) \??\o: csvhelper.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\h: csvhelper.exe File opened (read-only) \??\x: csvhelper.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\e: csvhelper.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\q: csvhelper.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\n: csvhelper.exe File opened (read-only) \??\v: csvhelper.exe File opened (read-only) \??\y: csvhelper.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\b: csvhelper.exe File opened (read-only) \??\w: csvhelper.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\i: csvhelper.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\g: csvhelper.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\a: csvhelper.exe File opened (read-only) \??\s: csvhelper.exe File opened (read-only) \??\u: csvhelper.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\m: csvhelper.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\p: csvhelper.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\j: csvhelper.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\r: csvhelper.exe File opened (read-only) \??\z: csvhelper.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\t: csvhelper.exe File opened (read-only) \??\T: msiexec.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/60-981-0x0000000000280000-0x00000000009BF000-memory.dmp autoit_exe behavioral2/memory/60-983-0x0000000000280000-0x00000000009BF000-memory.dmp autoit_exe behavioral2/memory/60-985-0x0000000000280000-0x00000000009BF000-memory.dmp autoit_exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation se1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{6EDAE2A7-3AD8-49A4-8751-7FB5826F46B9} msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSI6E4B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6E4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI61B7.tmp msiexec.exe File created C:\Windows\Installer\e5760ec.msi msiexec.exe File opened for modification C:\Windows\Installer\e5760ec.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4724 se1.exe 60 csvhelper.exe -
Loads dropped DLL 3 IoCs
pid Process 3988 MsiExec.exe 60 csvhelper.exe 3988 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1776 msiexec.exe 1776 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 5040 msiexec.exe Token: SeIncreaseQuotaPrivilege 5040 msiexec.exe Token: SeSecurityPrivilege 1776 msiexec.exe Token: SeCreateTokenPrivilege 5040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5040 msiexec.exe Token: SeLockMemoryPrivilege 5040 msiexec.exe Token: SeIncreaseQuotaPrivilege 5040 msiexec.exe Token: SeMachineAccountPrivilege 5040 msiexec.exe Token: SeTcbPrivilege 5040 msiexec.exe Token: SeSecurityPrivilege 5040 msiexec.exe Token: SeTakeOwnershipPrivilege 5040 msiexec.exe Token: SeLoadDriverPrivilege 5040 msiexec.exe Token: SeSystemProfilePrivilege 5040 msiexec.exe Token: SeSystemtimePrivilege 5040 msiexec.exe Token: SeProfSingleProcessPrivilege 5040 msiexec.exe Token: SeIncBasePriorityPrivilege 5040 msiexec.exe Token: SeCreatePagefilePrivilege 5040 msiexec.exe Token: SeCreatePermanentPrivilege 5040 msiexec.exe Token: SeBackupPrivilege 5040 msiexec.exe Token: SeRestorePrivilege 5040 msiexec.exe Token: SeShutdownPrivilege 5040 msiexec.exe Token: SeDebugPrivilege 5040 msiexec.exe Token: SeAuditPrivilege 5040 msiexec.exe Token: SeSystemEnvironmentPrivilege 5040 msiexec.exe Token: SeChangeNotifyPrivilege 5040 msiexec.exe Token: SeRemoteShutdownPrivilege 5040 msiexec.exe Token: SeUndockPrivilege 5040 msiexec.exe Token: SeSyncAgentPrivilege 5040 msiexec.exe Token: SeEnableDelegationPrivilege 5040 msiexec.exe Token: SeManageVolumePrivilege 5040 msiexec.exe Token: SeImpersonatePrivilege 5040 msiexec.exe Token: SeCreateGlobalPrivilege 5040 msiexec.exe Token: SeBackupPrivilege 1124 vssvc.exe Token: SeRestorePrivilege 1124 vssvc.exe Token: SeAuditPrivilege 1124 vssvc.exe Token: SeBackupPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeBackupPrivilege 4048 srtasks.exe Token: SeRestorePrivilege 4048 srtasks.exe Token: SeSecurityPrivilege 4048 srtasks.exe Token: SeTakeOwnershipPrivilege 4048 srtasks.exe Token: SeBackupPrivilege 4048 srtasks.exe Token: SeRestorePrivilege 4048 srtasks.exe Token: SeSecurityPrivilege 4048 srtasks.exe Token: SeTakeOwnershipPrivilege 4048 srtasks.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe Token: SeRestorePrivilege 1776 msiexec.exe Token: SeTakeOwnershipPrivilege 1776 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5040 msiexec.exe 5040 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4048 1776 msiexec.exe 96 PID 1776 wrote to memory of 4048 1776 msiexec.exe 96 PID 1776 wrote to memory of 3988 1776 msiexec.exe 98 PID 1776 wrote to memory of 3988 1776 msiexec.exe 98 PID 1776 wrote to memory of 3988 1776 msiexec.exe 98 PID 3988 wrote to memory of 2508 3988 MsiExec.exe 99 PID 3988 wrote to memory of 2508 3988 MsiExec.exe 99 PID 3988 wrote to memory of 2508 3988 MsiExec.exe 99 PID 3988 wrote to memory of 2824 3988 MsiExec.exe 101 PID 3988 wrote to memory of 2824 3988 MsiExec.exe 101 PID 3988 wrote to memory of 2824 3988 MsiExec.exe 101 PID 3988 wrote to memory of 4724 3988 MsiExec.exe 103 PID 3988 wrote to memory of 4724 3988 MsiExec.exe 103 PID 3988 wrote to memory of 4724 3988 MsiExec.exe 103 PID 4724 wrote to memory of 60 4724 se1.exe 104 PID 4724 wrote to memory of 60 4724 se1.exe 104 PID 4724 wrote to memory of 60 4724 se1.exe 104 PID 3988 wrote to memory of 2896 3988 MsiExec.exe 105 PID 3988 wrote to memory of 2896 3988 MsiExec.exe 105 PID 3988 wrote to memory of 2896 3988 MsiExec.exe 105 PID 60 wrote to memory of 2388 60 csvhelper.exe 109 PID 60 wrote to memory of 2388 60 csvhelper.exe 109 PID 60 wrote to memory of 2388 60 csvhelper.exe 109 PID 60 wrote to memory of 8 60 csvhelper.exe 111 PID 60 wrote to memory of 8 60 csvhelper.exe 111 PID 60 wrote to memory of 8 60 csvhelper.exe 111 PID 60 wrote to memory of 4980 60 csvhelper.exe 113 PID 60 wrote to memory of 4980 60 csvhelper.exe 113 PID 60 wrote to memory of 4980 60 csvhelper.exe 113 PID 60 wrote to memory of 1048 60 csvhelper.exe 115 PID 60 wrote to memory of 1048 60 csvhelper.exe 115 PID 60 wrote to memory of 1048 60 csvhelper.exe 115 PID 60 wrote to memory of 2780 60 csvhelper.exe 117 PID 60 wrote to memory of 2780 60 csvhelper.exe 117 PID 60 wrote to memory of 2780 60 csvhelper.exe 117 PID 60 wrote to memory of 2504 60 csvhelper.exe 119 PID 60 wrote to memory of 2504 60 csvhelper.exe 119 PID 60 wrote to memory of 2504 60 csvhelper.exe 119 PID 60 wrote to memory of 4424 60 csvhelper.exe 121 PID 60 wrote to memory of 4424 60 csvhelper.exe 121 PID 60 wrote to memory of 4424 60 csvhelper.exe 121 PID 60 wrote to memory of 864 60 csvhelper.exe 123 PID 60 wrote to memory of 864 60 csvhelper.exe 123 PID 60 wrote to memory of 864 60 csvhelper.exe 123 PID 60 wrote to memory of 3052 60 csvhelper.exe 125 PID 60 wrote to memory of 3052 60 csvhelper.exe 125 PID 60 wrote to memory of 3052 60 csvhelper.exe 125 PID 60 wrote to memory of 2496 60 csvhelper.exe 127 PID 60 wrote to memory of 2496 60 csvhelper.exe 127 PID 60 wrote to memory of 2496 60 csvhelper.exe 127 PID 60 wrote to memory of 2288 60 csvhelper.exe 129 PID 60 wrote to memory of 2288 60 csvhelper.exe 129 PID 60 wrote to memory of 2288 60 csvhelper.exe 129 PID 60 wrote to memory of 4732 60 csvhelper.exe 131 PID 60 wrote to memory of 4732 60 csvhelper.exe 131 PID 60 wrote to memory of 4732 60 csvhelper.exe 131 PID 60 wrote to memory of 4704 60 csvhelper.exe 133 PID 60 wrote to memory of 4704 60 csvhelper.exe 133 PID 60 wrote to memory of 4704 60 csvhelper.exe 133 PID 60 wrote to memory of 2216 60 csvhelper.exe 135 PID 60 wrote to memory of 2216 60 csvhelper.exe 135 PID 60 wrote to memory of 2216 60 csvhelper.exe 135 PID 60 wrote to memory of 580 60 csvhelper.exe 137 PID 60 wrote to memory of 580 60 csvhelper.exe 137 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4973ED0FAB5ADF7011FA1732CEFC26CE2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:2508
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe"C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\files\se1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"4⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A5⤵PID:2388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A5⤵PID:8
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A5⤵PID:4980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵PID:1048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A5⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A5⤵PID:2504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A5⤵PID:4424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A5⤵PID:3052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A5⤵PID:2496
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A5⤵PID:2288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A5⤵PID:4732
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A5⤵PID:4704
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A5⤵PID:2216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A5⤵PID:580
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A5⤵PID:3896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A5⤵PID:4276
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A5⤵PID:3296
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-313db449-2d1a-4ea0-87ce-b75c35a6ce18\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:2896
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1124
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD56f7c8bbe4e94980ca7c1b878c048be94
SHA12ee86ce71bd986ff8e92f5a2b876098ccbab42dc
SHA256f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae
SHA5124c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b
-
Filesize
16.5MB
MD5e3ffe9b1db336ca7f34e0f26215d4ee4
SHA13ec434df80529311342401ac7a7acd066e19c90f
SHA256700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
SHA51271168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b
-
Filesize
1KB
MD5eb7c810bfc79c6ee2e5a5e7727fcb24a
SHA10ff13cf99d3b62550c9110047d600a6f98005156
SHA2563c50c5b1e15a5433f88d92c0e42c4e87b1b32a18a936e12f430a8257e594f397
SHA512b89998d425a37a03925a0d5b13c3076fae173738ddc3a087f9df4ff1c7b010e65fa088562e558d5dbf3a0be416553ef7b4aa643aad9ed64186c2796dbad63df8
-
Filesize
1KB
MD500936651b95fe2b496c40a99a67359da
SHA18f66e37cb485cc116f116722f655f6f77ed8adb7
SHA256b89e87c2f80401df2d79748575a9d63f1c7aa99c29bca3eb41ed9155dcfe8dfe
SHA512e5c84f6ac1b5d3e29f503d7aa3db71864a22efa2bbb00e7d332fefa6f92593e73344d1acce19e7a7c95a75e118396b9a1de59d359a01942919f6e1ea97c7a994
-
Filesize
2.0MB
MD5349a1d8bb00ae11bbf535cd909838c65
SHA1c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA25693e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD544018e1779270b083ad90da3dffe9b15
SHA1e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA25671bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize4KB
MD5b3c74bb5250effad46ce11a96c9468c2
SHA13a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA2565a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize4KB
MD53272be2da53b6d5271111431f7d90d28
SHA17ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA2564e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA51245dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD5228d4bd899577ed16ad3ac74b592a0e6
SHA1baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
Filesize2KB
MD52719683b8dba819f2e6bd9e9b7307f1c
SHA16cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA51296ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee
-
Filesize
6.9MB
MD5f5de326683df44d71ed1b986fd836e0b
SHA133bc899da6afd2b82b27d59acd0844b521e57079
SHA25617c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA51212ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a
-
Filesize
3.9MB
MD51bf457ea201a3374f7c37f43d5c3ffdb
SHA1bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA2569107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
23.7MB
MD5f91a761adffa6a40ce5a428fea48a473
SHA1129a30f5c9ee7696f0544599249d5632ed9979ae
SHA256de2b00309cf72aff0cad62658e5c9f1b816f234bb78a73b2b45dac164e8455b6
SHA512d0d1bb1eae5aa64d4b382f9f5707e0b4bef780a824bd560712c41ad850f34f9bbc5326b74dc5e5b21e6933fb0d8ffe95c8b09629c8003f40f05f473a42fda5c8
-
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82cdeeaa-b942-4d49-9bf5-346f7eeffd6d}_OnDiskSnapshotProp
Filesize6KB
MD5f7ae3c295729162ecfa9f298bc98d013
SHA1d96194a2a17bbd7ab0b87b137508c48cef8f87a5
SHA256f926af16511fa895d39335e5cd567e4e3a90f47bc050df1b534be6dfc6211f5e
SHA512a84b1a3595517069fa35310f1420004ad626aa639ac2e8619b2cbee52f495983d8dbd01a8f15d5578421fe4cc3939f1d8e6e9a571b88283c3501b7cd72c7990a