6ee78b18ddb57ebb710f371d9c01b743fc7fb080527360a56d9981c56cdffffb

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]/paperscanpro4.exe
Size

124.9MB
MD5

d964449be90f3d1eabcd4bd4e0f1687b
SHA1

1f58c435655108220a656066933ce05de5a18f64
SHA256

93ec1818f17060773929f735d16343edeb9fab83b35d01f6ae4473c979d33443
SHA512

7a223efd9be3ac244065e387078bfc90704c2bf5665b14a8d9b1a90755f3f56759df88b36e1f9ca85b849728a9eddf48e9e15adf8a2044131a269de25b49dde4
SSDEEP

3145728:kagyVIufss4uvENj3aT32FpHCBRgoDCkD0iUWoMM:QyVI1FCEhqL2Fpirg8j9VoMM

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exepaperscanpro4.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	paperscanpro4.exe
File opened (read-only)	\??\U:	paperscanpro4.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	paperscanpro4.exe
File opened (read-only)	\??\N:	paperscanpro4.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	paperscanpro4.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	paperscanpro4.exe
File opened (read-only)	\??\M:	paperscanpro4.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	paperscanpro4.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	paperscanpro4.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	paperscanpro4.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	paperscanpro4.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	paperscanpro4.exe
File opened (read-only)	\??\X:	paperscanpro4.exe
File opened (read-only)	\??\Z:	paperscanpro4.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	paperscanpro4.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	paperscanpro4.exe
File opened (read-only)	\??\P:	paperscanpro4.exe
File opened (read-only)	\??\S:	paperscanpro4.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	paperscanpro4.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	paperscanpro4.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	paperscanpro4.exe
File opened (read-only)	\??\V:	paperscanpro4.exe
File opened (read-only)	\??\I:	msiexec.exe

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
2888	MsiExec.exe
2888	MsiExec.exe
2888	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

paperscanpro4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	paperscanpro4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	paperscanpro4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	paperscanpro4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	paperscanpro4.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1260 msiexec.exe

pid	process
1260	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exepaperscanpro4.exe

description	pid	process
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	2924	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	2924	paperscanpro4.exe
Token: SeLockMemoryPrivilege	2924	paperscanpro4.exe
Token: SeIncreaseQuotaPrivilege	2924	paperscanpro4.exe
Token: SeMachineAccountPrivilege	2924	paperscanpro4.exe
Token: SeTcbPrivilege	2924	paperscanpro4.exe
Token: SeSecurityPrivilege	2924	paperscanpro4.exe
Token: SeTakeOwnershipPrivilege	2924	paperscanpro4.exe
Token: SeLoadDriverPrivilege	2924	paperscanpro4.exe
Token: SeSystemProfilePrivilege	2924	paperscanpro4.exe
Token: SeSystemtimePrivilege	2924	paperscanpro4.exe
Token: SeProfSingleProcessPrivilege	2924	paperscanpro4.exe
Token: SeIncBasePriorityPrivilege	2924	paperscanpro4.exe
Token: SeCreatePagefilePrivilege	2924	paperscanpro4.exe
Token: SeCreatePermanentPrivilege	2924	paperscanpro4.exe
Token: SeBackupPrivilege	2924	paperscanpro4.exe
Token: SeRestorePrivilege	2924	paperscanpro4.exe
Token: SeShutdownPrivilege	2924	paperscanpro4.exe
Token: SeDebugPrivilege	2924	paperscanpro4.exe
Token: SeAuditPrivilege	2924	paperscanpro4.exe
Token: SeSystemEnvironmentPrivilege	2924	paperscanpro4.exe
Token: SeChangeNotifyPrivilege	2924	paperscanpro4.exe
Token: SeRemoteShutdownPrivilege	2924	paperscanpro4.exe
Token: SeUndockPrivilege	2924	paperscanpro4.exe
Token: SeSyncAgentPrivilege	2924	paperscanpro4.exe
Token: SeEnableDelegationPrivilege	2924	paperscanpro4.exe
Token: SeManageVolumePrivilege	2924	paperscanpro4.exe
Token: SeImpersonatePrivilege	2924	paperscanpro4.exe
Token: SeCreateGlobalPrivilege	2924	paperscanpro4.exe
Token: SeCreateTokenPrivilege	2924	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	2924	paperscanpro4.exe
Token: SeLockMemoryPrivilege	2924	paperscanpro4.exe
Token: SeIncreaseQuotaPrivilege	2924	paperscanpro4.exe
Token: SeMachineAccountPrivilege	2924	paperscanpro4.exe
Token: SeTcbPrivilege	2924	paperscanpro4.exe
Token: SeSecurityPrivilege	2924	paperscanpro4.exe
Token: SeTakeOwnershipPrivilege	2924	paperscanpro4.exe
Token: SeLoadDriverPrivilege	2924	paperscanpro4.exe
Token: SeSystemProfilePrivilege	2924	paperscanpro4.exe
Token: SeSystemtimePrivilege	2924	paperscanpro4.exe
Token: SeProfSingleProcessPrivilege	2924	paperscanpro4.exe
Token: SeIncBasePriorityPrivilege	2924	paperscanpro4.exe
Token: SeCreatePagefilePrivilege	2924	paperscanpro4.exe
Token: SeCreatePermanentPrivilege	2924	paperscanpro4.exe
Token: SeBackupPrivilege	2924	paperscanpro4.exe
Token: SeRestorePrivilege	2924	paperscanpro4.exe
Token: SeShutdownPrivilege	2924	paperscanpro4.exe
Token: SeDebugPrivilege	2924	paperscanpro4.exe
Token: SeAuditPrivilege	2924	paperscanpro4.exe
Token: SeSystemEnvironmentPrivilege	2924	paperscanpro4.exe
Token: SeChangeNotifyPrivilege	2924	paperscanpro4.exe
Token: SeRemoteShutdownPrivilege	2924	paperscanpro4.exe
Token: SeUndockPrivilege	2924	paperscanpro4.exe
Token: SeSyncAgentPrivilege	2924	paperscanpro4.exe
Token: SeEnableDelegationPrivilege	2924	paperscanpro4.exe
Token: SeManageVolumePrivilege	2924	paperscanpro4.exe
Token: SeImpersonatePrivilege	2924	paperscanpro4.exe
Token: SeCreateGlobalPrivilege	2924	paperscanpro4.exe
Token: SeCreateTokenPrivilege	2924	paperscanpro4.exe
Token: SeAssignPrimaryTokenPrivilege	2924	paperscanpro4.exe
Token: SeLockMemoryPrivilege	2924	paperscanpro4.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

paperscanpro4.exemsiexec.exe

pid process

2924 paperscanpro4.exe
1260 msiexec.exe

pid	process
2924	paperscanpro4.exe
1260	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exepaperscanpro4.exe

description	pid	process	target process
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2888	2476	msiexec.exe	MsiExec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2924 wrote to memory of 1260	2924	paperscanpro4.exe	msiexec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1564	2476	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe
"C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\ORPALIS\PaperScan 4 Professional Edition 4.0.9\install\4FF14CA\PaperScanPro-4.0.9.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\paperscanpro4.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\ORPALIS PaperScan Professional Edition 4.0.9 [PeskTop.com]\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1713472328 " AI_FOUND_PREREQS=".NET Framework 4.7.2 (web installer)"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0C9DF9024DC5152DFDC3C865E9F8CBA C
  2⤵
  - Loads dropped DLL
  PID:2888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CFE479946240B1443A31CCF33A49E3F C
  2⤵
  - Loads dropped DLL
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
eeece5e919a33d267b92b22e8c2e08e3

SHA1
5ab76b001333e3999c3d1c7dd928c9940bfed114

SHA256
1e3ca69a2e6ee930e91c55183acc8001f0390f56870660482a67b6d928c827af

SHA512
4052591db3f8243da47915192caf029ab08534bb9bdd0ba90de344fd81db284c8d5c3e8e2100320b52bf5fb4c8cfa0b14be3cef1fcdfb693ef8865b7bd77fc9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_A360CD1C7D600F0FA52FD1B49B3E1637

Filesize
727B

MD5
eee4c7065430328a936943b8a4cc64c1

SHA1
8d965baa8203acf507dc01147ccf011ad65fadf3

SHA256
d6c086aaba2ac573829148dbceff5a0c290b74ea7722c07dff03d412b62853da

SHA512
6569255a29a42256ef099b2ee98cb1481803ea9d1669daf0cf4e00569b5cc8fe70c4eadb183dc43bfa1304d562a97e8286d97ee2f9d4c67d65dba4cbe2a9ae0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
cc6848d9ac77e31dfeadf8c1ab347bd7

SHA1
6bbab79a405666cb63f2e321330e10f4fabca6b4

SHA256
1bfe4a31c943532b6f000d26e721022f250f5555ef2f0bf12605c35ec606a338

SHA512
74214efdbe65e264e9b63506b4d74fd520d7322f03153a6f50dbf4236b36848fdd5b1b42431c600e8c75e4119c912b10a9a0d213043aa7102177ac95134d5966

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
843cf1f6ced038565b029cccdb65869e

SHA1
8efd3038fa80439716d999a7fac42da75395a85d

SHA256
1269bb6a9278a1054449a219f201bdad11aadb033c19c843178fb1c5d8b7a3c3

SHA512
39aa3f0699f9cf362ab4b5c1ff84e4d7d5234d9b2963ece1873a59ace5fa70081a6635584149480ca4cd050448602667b55f4f55acc0a5453fc6c5367a61f795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_A360CD1C7D600F0FA52FD1B49B3E1637

Filesize
408B

MD5
19e9021c783e61b659ebb687cac5f67e

SHA1
3059ba43c28d70082f307b8eb5558d024a3697e9

SHA256
b54d804d5d64aaa9c168e7a6438db63123eb44566f221a06e5d711ac8448beca

SHA512
1e8801fe01fd4bce88c0ba412db155adfd5bb87bd3a506bada57493bd2e8f3beab45837b02764cde67854d0fc1fa113c2ef050c111945e01a045662fc4a5b5b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45b1cb871e9d6f844c221bd8ec641592

SHA1
a7392f605ba14079465320c008069c16e83d1d0f

SHA256
69aace8e9161bf4b0facac3895bcfaf2fb8ba344c415a2f21b5c7fd15bdcff54

SHA512
5ccf118833d26de627ba8a488575bc004f9bf7472e932c013974f34e58a651b9ec7e37b4528b667232e9c6d103debf31332ac8a33ce64f78dc52e6904eacfa3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
aca378abdf91cbbf07fdec4dcb5c6f20

SHA1
5934455e168b84f6c069413e80c3548d4a19275e

SHA256
33537003258e31d7a1ad2899b6f28abb239ed69591ba986746eee508615fc776

SHA512
7cccae2728462f4bd8d31f8e3b228940823aa016509049fa06c3424536ebb20fc89770afe5c2374b136849eb7a76ead665958712833d0bad5594a3cfd56f8edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2924\welcome.jpg

Filesize
14KB

MD5
a19eb2269d8449012cf8cf3693e9698a

SHA1
7be34d8186407ede94e068874417ddaf3bf3012e

SHA256
478f1e9f4cbcbc6062e3a609362a60e8c78e38507e60ba5a6b9db7d219e66a14

SHA512
86d71a7087d8597b06d822dab99d9cad5208fff612fa20c95db2ee712be61003d40a494dfe6c3836627592a9963d5729bc5ce4d7b4bbeb24fa6b613bf0d6631e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab15F3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI17CB.tmp

Filesize
584KB

MD5
8e565fd81ca10a65cc02e7901a78c95b

SHA1
1bca3979c233321ae527d4508cfe9b3ba825dbd3

SHA256
7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

SHA512
144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1868.tmp

Filesize
1.1MB

MD5
afc6287898cc2f4e11e7ecca5ba67979

SHA1
00417961dd06817ad989aff7d6832f854a4e81b8

SHA256
65449b7ef921a26b22c2f5ba6bb8d22ced0a337313587c805bb165808346c402

SHA512
11bf538fd8c9330d6554e06e65b094aac27c657a0450ee6dd0891fb35644505d65e968395902b1d115f64d8c9a30f3d81e3db301705d82c084f7b028b8bd616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1934.tmp

Filesize
709KB

MD5
130a4e28b3349aff8a444f6fcebbac91

SHA1
fee5efe0a1b9aea337e607f417bb091c3017537b

SHA256
750bf3e65d692ff255620c5b8d7c951d93d3deb65586ebb5a3e3b7ba2de10e39

SHA512
1564306e22db0000a78076e6811f0e4f9ca31c7fea95e1070a6ce422c408863810a2f55376b8db1aec2512e23d926d5d61ac280d4babc31c52dd645440ef510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar170F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\ORPALIS\PaperScan 4 Professional Edition 4.0.9\install\4FF14CA\PaperScanPro-4.0.9.msi

Filesize
3.7MB

MD5
91feee7a5212ab8244ab5915a443d92d

SHA1
243c5f38314a4fb8c8412868bb131853929d95bf

SHA256
a59241ac480779e9e3d09cb5952ee2bf26daf9277714751442f257c0d1ca1a80

SHA512
e4367b4e922c443c652767b45ad4bf82fefded07b78c2a891f382b2d3ad3a49aa834e8a35816e87d52cf3dc805e403aa346810d71acd2820f17b3c65baf4fe49

Download Submit
memory/2924-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2924-121-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download