Overview
overview
8Static
static
3StarVPN-FR...st.exe
windows10-2004-x64
8$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows10-2004-x64
1StarVPN.exe
windows10-2004-x64
5d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...ce.cmd
windows10-2004-x64
7resources/app.js
windows10-2004-x64
3resources/elevate.exe
windows10-2004-x64
1resources/...64.dll
windows10-2004-x64
1resources/...-1.dll
windows10-2004-x64
1resources/...64.dll
windows10-2004-x64
1resources/...pn.exe
windows10-2004-x64
1resources/...tl.exe
windows10-2004-x64
1resources/...40.dll
windows10-2004-x64
1resources/...al.exe
windows10-2004-x64
1resources/...st.exe
windows10-2004-x64
1resources/...wg.exe
windows10-2004-x64
1resources/...rd.exe
windows10-2004-x64
5resources/...tn.msi
windows10-2004-x64
6vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...PN.exe
windows10-2004-x64
4Analysis
-
max time kernel
101s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 05:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
StarVPN-FR1-x64-latest.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral6
Sample
LICENSES.chromium.html
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
120 seconds
Behavioral task
behavioral7
Sample
StarVPN.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
6 signatures
120 seconds
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral12
Sample
resources/StarVPNService.cmd
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral13
Sample
resources/app.js
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
120 seconds
Behavioral task
behavioral14
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral15
Sample
resources/openvpn/x64/libcrypto-3-x64.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral16
Sample
resources/openvpn/x64/libpkcs11-helper-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral17
Sample
resources/openvpn/x64/libssl-3-x64.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral18
Sample
resources/openvpn/x64/openvpn.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral19
Sample
resources/openvpn/x64/tctl.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral20
Sample
resources/openvpn/x64/vcruntime140.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral21
Sample
resources/shadowsocks/x64/sslocal.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral22
Sample
resources/wireguard/fastlist.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
1 signatures
120 seconds
Behavioral task
behavioral23
Sample
resources/wireguard/x64/wg.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral24
Sample
resources/wireguard/x64/wireguard.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
9 signatures
120 seconds
Behavioral task
behavioral25
Sample
resources/wireguard/x64/wntn.msi
Resource
win10v2004-20240426-en
windows10-2004-x64
12 signatures
120 seconds
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
120 seconds
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
2 signatures
120 seconds
Behavioral task
behavioral32
Sample
$R0/Uninstall StarVPN.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
4 signatures
120 seconds
General
-
Target
resources/wireguard/x64/wntn.msi
-
Size
308KB
-
MD5
4f9855957a9e04023166e3619d233e26
-
SHA1
45478661f419b425a06380c3e89f101247fc53bb
-
SHA256
fb73b8c3034f2cf44b2a82f2820f1b6975b4e8bb63aa8b5e476063b6797174c8
-
SHA512
817ecf32b82b2dcb5d78082e9f02e191c7d09a1c799391906aa83ad80f016f55e8ae7a5248eb5c8a3e776e4cc9b519ca0b13f03775e77893eb520080da7db76e
-
SSDEEP
3072:q7N6bBrGsu4ldGrlmxElEmNoPl4+eDhIVJkRZ5Br/NbvcjKX5mMgQSeRocPvuocM:q7N6UWldGrlmxEDNMea+H5R/B/1lp4x
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42\netrtwlane01.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{78d9162c-4399-ef41-b60e-1e546ffc035d}\wintun.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\ipoib6x.inf_amd64_ef71073a5867971f\ipoib6x.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{78d9162c-4399-ef41-b60e-1e546ffc035d} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\net819xp.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\bcmwdidhdpcie.inf_amd64_977dcc915465b0e9\bcmwdidhdpcie.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{78d9162c-4399-ef41-b60e-1e546ffc035d}\SETC527.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_220db23f5419ea8d\netathrx.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_20caba88bd7f0bb3\netrtwlane.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF MsiExec.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{78d9162c-4399-ef41-b60e-1e546ffc035d}\SETC526.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\netelx.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{78d9162c-4399-ef41-b60e-1e546ffc035d}\SETC525.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_162bb49f925c6463\netwns64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e\netrndis.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_d5996f2a9d9aa9e3\netr28ux.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_b96cdf411c43c00c\netbc64.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111\net1ic64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6\netsstpa.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_5d63c7bcbf29107f\netr28x.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MsiExec.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e57baa7.msi msiexec.exe File created C:\Windows\Installer\e57baa5.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIBC0E.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e57baa5.msi msiexec.exe File created C:\Windows\Installer\SourceHash{92C3146C-FCA6-490F-A477-020C2BE6D5BF} msiexec.exe File opened for modification C:\Windows\Installer\MSIBB42.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBB32.tmp msiexec.exe -
Loads dropped DLL 2 IoCs
pid Process 5048 MsiExec.exe 5044 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 31 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081a0e6b9f9d406b40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081a0e6b90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090081a0e6b9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d81a0e6b9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081a0e6b900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe -
Modifies data under HKEY_USERS 44 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6413C296ACFF0944A7720C0B26E5DFB\WintunFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\PackageName = "wntn.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\PackageCode = "DAB071CEC621A8F42B293F5575AA1012" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\Version = "524289" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5E7C9284D319724F83406AF9CDA21EA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\ProductName = "Wintun" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6413C296ACFF0944A7720C0B26E5DFB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B5E7C9284D319724F83406AF9CDA21EA\C6413C296ACFF0944A7720C0B26E5DFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\resources\\wireguard\\x64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6413C296ACFF0944A7720C0B26E5DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\resources\\wireguard\\x64\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2204 msiexec.exe 2204 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4236 msiexec.exe Token: SeIncreaseQuotaPrivilege 4236 msiexec.exe Token: SeSecurityPrivilege 2204 msiexec.exe Token: SeCreateTokenPrivilege 4236 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4236 msiexec.exe Token: SeLockMemoryPrivilege 4236 msiexec.exe Token: SeIncreaseQuotaPrivilege 4236 msiexec.exe Token: SeMachineAccountPrivilege 4236 msiexec.exe Token: SeTcbPrivilege 4236 msiexec.exe Token: SeSecurityPrivilege 4236 msiexec.exe Token: SeTakeOwnershipPrivilege 4236 msiexec.exe Token: SeLoadDriverPrivilege 4236 msiexec.exe Token: SeSystemProfilePrivilege 4236 msiexec.exe Token: SeSystemtimePrivilege 4236 msiexec.exe Token: SeProfSingleProcessPrivilege 4236 msiexec.exe Token: SeIncBasePriorityPrivilege 4236 msiexec.exe Token: SeCreatePagefilePrivilege 4236 msiexec.exe Token: SeCreatePermanentPrivilege 4236 msiexec.exe Token: SeBackupPrivilege 4236 msiexec.exe Token: SeRestorePrivilege 4236 msiexec.exe Token: SeShutdownPrivilege 4236 msiexec.exe Token: SeDebugPrivilege 4236 msiexec.exe Token: SeAuditPrivilege 4236 msiexec.exe Token: SeSystemEnvironmentPrivilege 4236 msiexec.exe Token: SeChangeNotifyPrivilege 4236 msiexec.exe Token: SeRemoteShutdownPrivilege 4236 msiexec.exe Token: SeUndockPrivilege 4236 msiexec.exe Token: SeSyncAgentPrivilege 4236 msiexec.exe Token: SeEnableDelegationPrivilege 4236 msiexec.exe Token: SeManageVolumePrivilege 4236 msiexec.exe Token: SeImpersonatePrivilege 4236 msiexec.exe Token: SeCreateGlobalPrivilege 4236 msiexec.exe Token: SeBackupPrivilege 4836 vssvc.exe Token: SeRestorePrivilege 4836 vssvc.exe Token: SeAuditPrivilege 4836 vssvc.exe Token: SeBackupPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeAuditPrivilege 1304 svchost.exe Token: SeSecurityPrivilege 1304 svchost.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe Token: SeTakeOwnershipPrivilege 2204 msiexec.exe Token: SeRestorePrivilege 2204 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4236 msiexec.exe 4236 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2204 wrote to memory of 4904 2204 msiexec.exe 98 PID 2204 wrote to memory of 4904 2204 msiexec.exe 98 PID 2204 wrote to memory of 5048 2204 msiexec.exe 100 PID 2204 wrote to memory of 5048 2204 msiexec.exe 100 PID 2204 wrote to memory of 5044 2204 msiexec.exe 101 PID 2204 wrote to memory of 5044 2204 msiexec.exe 101 PID 1304 wrote to memory of 4760 1304 svchost.exe 103 PID 1304 wrote to memory of 4760 1304 svchost.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\resources\wireguard\x64\wntn.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4236
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4904
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 671E08A8D2EED68F89511EF3D379D1DE2⤵
- Loads dropped DLL
PID:5048
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7157B9890999041453E433AB99737A1C E Global\MSI00002⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
PID:5044
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\Temp\c56b32522ab03fc6092a1d8021082f5612d748e5c04477f8a09d83cc63e447a2\wintun.inf" "9" "444afe357" "0000000000000138" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\Temp\c56b32522ab03fc6092a1d8021082f5612d748e5c04477f8a09d83cc63e447a2"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523B
MD5f5403f2b4d3f2da48bf2eb323c86091d
SHA1932153b0067ad54e15b0593203f2e9bdffe28fef
SHA2566a2ccb0082e24e7abd2ae4a44d605704aa27d16246f8f796ec7d7e8de669923f
SHA512d400580404a55e0bad6f79226017dcb764668d45bf6427e7a6d385d7ab48660fcaef38eeebf24e418b21e57d5b34f967aac2a16bda4245d76915d414bd599458
-
Filesize
275KB
MD52232c07e354364e0eb1dc80024593826
SHA165bb4232c0416cfb2c158bfc32a7732ad72cee72
SHA256fb1cd5e7c3ea30dfafd3cc1862e311388361d896610db28c63716da9d71e8f3f
SHA512f0d295565b209f4dedd2a79123fa54ff9b8cbb173f14463ab3d3707b8d87aad84b05c2898478ecc148e29d02fa07ddda9499795e0ceafc2982c0adbd570a3572
-
Filesize
9KB
MD5faba2ccb8fe366fd281ca6be6d2bb7c2
SHA1bb7bd32a21f3eba652fde24146387ffc5278143e
SHA256602187e5470ddbdf9421045bb0515f358c88bf88f59fd8a886fb6373da5d0f82
SHA512ec424a545e2598f299706499dab07b4d12b0734a52f928216a53bca2b7f384b97bd4fc092d7d68de636a75daf79ac392c4b49b7251ec011236de1659253d6214
-
Filesize
37KB
MD51945d7d1f56b67ae1cad6ffe13a01985
SHA12c1a369f9e12e5c6549439e60dd6c728bf1bffde
SHA256eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b
SHA51209af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f
-
Filesize
1KB
MD58480579050970b0812cc3d9a1bce1340
SHA1edebebd090602f4eee375ad754c8566d4fda23cb
SHA25644098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b
SHA51246de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933
-
Filesize
23.7MB
MD5d24aaa2cfc3efe7dfdf63f3c3f80a051
SHA1859e66f4255aca3883c1306b5b7a47003a6235a0
SHA2565c6e5d8a5c669de289dccfac17474df3967a6b53adb68e2c12d1bc8010df8ebf
SHA5128fcb1340ef8e5d02a096e9ce4ca910bbf6e034d78f37db7a3dc38f042d9a328082225daaf62386d546116fdc2b3d7a047170e147b677e80e13ce84e788ffc60b
-
\??\Volume{b9e6a081-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6e56b382-0fd5-49eb-964b-6424a2e69c39}_OnDiskSnapshotProp
Filesize6KB
MD5de0186eb0fad578505a9207490bd1168
SHA188ab73fb4ae8b83d2af2151ed1f09fabc252ca2b
SHA256de0ab39b0b47ea87b98fe9a7ccce0a654e6ed38d6d9a0f789eb6741915b59a6a
SHA512e9f4773273bd22f24efba3c50cc4be9b0d308b4dc662bbcb8f81d6cdac18fdb4d010fe4ad780a38bf9e7fb53a0fc64a830ff37b334364a9bd094de2925f7e780