3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

Analysis

max time kernel
125s
max time network
202s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VC_redist.x64.exe
Size

24.2MB
MD5

1d545507009cc4ec7409c1bc6e93b17b
SHA1

84c61fadf8cd38016fb7632969b3ace9e54b763a
SHA256

3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a
SHA512

5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104
SSDEEP

786432:tSp+Ty2SfUfnbDDko5dFMYqlQbgAVLSElbmucMuZZxs6Sf:4p+Ty2SfWnHDk8FjVbfzPTq4

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1348	msiexec.exe
5	1348	msiexec.exe
7	1348	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f764d39.ipi	msiexec.exe
File created	C:\Windows\Installer\f764d4d.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f764d4a.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File created	C:\Windows\Installer\f764d36.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI54FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f764d4d.ipi	msiexec.exe
File created	C:\Windows\Installer\f764d60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f764d36.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53C0.tmp	msiexec.exe
File created	C:\Windows\Installer\f764d49.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f764d39.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f764d4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5ACB.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1564	VC_redist.x64.exe
2960	VC_redist.x64.exe

Loads dropped DLL 4 IoCs

pid	Process
2084	VC_redist.x64.exe
1564	VC_redist.x64.exe
1564	VC_redist.x64.exe
1672	VC_redist.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\PackageCode = "A40E8013387385E43AA0F61A9357B166"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Version = "237536274"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\ = "{5af95fd8-a22e-458f-acee-c61bd787178e}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Version = "237536274"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
1348	msiexec.exe
2264	chrome.exe
2264	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2116	vssvc.exe
Token: SeRestorePrivilege	2116	vssvc.exe
Token: SeAuditPrivilege	2116	vssvc.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeRestorePrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeLoadDriverPrivilege	2156	DrvInst.exe
Token: SeShutdownPrivilege	2960	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2960	VC_redist.x64.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeSecurityPrivilege	1348	msiexec.exe
Token: SeCreateTokenPrivilege	2960	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	2960	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	2960	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2960	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	2960	VC_redist.x64.exe
Token: SeTcbPrivilege	2960	VC_redist.x64.exe
Token: SeSecurityPrivilege	2960	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	2960	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	2960	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	2960	VC_redist.x64.exe
Token: SeSystemtimePrivilege	2960	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	2960	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	2960	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	2960	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	2960	VC_redist.x64.exe
Token: SeBackupPrivilege	2960	VC_redist.x64.exe
Token: SeRestorePrivilege	2960	VC_redist.x64.exe
Token: SeShutdownPrivilege	2960	VC_redist.x64.exe
Token: SeDebugPrivilege	2960	VC_redist.x64.exe
Token: SeAuditPrivilege	2960	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	2960	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	2960	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	2960	VC_redist.x64.exe
Token: SeUndockPrivilege	2960	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	2960	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	2960	VC_redist.x64.exe
Token: SeManageVolumePrivilege	2960	VC_redist.x64.exe
Token: SeImpersonatePrivilege	2960	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	2960	VC_redist.x64.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe
Token: SeTakeOwnershipPrivilege	1348	msiexec.exe
Token: SeRestorePrivilege	1348	msiexec.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1564	VC_redist.x64.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe
2264	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 2084 wrote to memory of 1564	2084	VC_redist.x64.exe	28
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 1564 wrote to memory of 2960	1564	VC_redist.x64.exe	29
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 2960 wrote to memory of 1296	2960	VC_redist.x64.exe	35
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1296 wrote to memory of 1672	1296	VC_redist.x64.exe	36
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 1672 wrote to memory of 2880	1672	VC_redist.x64.exe	37
PID 2264 wrote to memory of 344	2264	chrome.exe	41
PID 2264 wrote to memory of 344	2264	chrome.exe	41
PID 2264 wrote to memory of 344	2264	chrome.exe	41
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43
PID 2264 wrote to memory of 2804	2264	chrome.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Temp\{C9B41334-6DF6-4363-A9A1-216C764AEF68}\.cr\VC_redist.x64.exe
  "C:\Windows\Temp\{C9B41334-6DF6-4363-A9A1-216C764AEF68}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\.be\VC_redist.x64.exe
    "C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{83F4D9E1-0582-4C3C-B58F-FB5B3CF9B9DE} {B6C5F7CB-F3AE-41B7-9250-3A0EE6931D62} 1564
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
      "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=500 -burn.embedded BurnPipe.{3C936DB4-EF22-4D2F-8CEB-C45D1729050B} {CAB085B1-5234-464E-9F52-C0766BDC4E32} 2960
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=500 -burn.embedded BurnPipe.{3C936DB4-EF22-4D2F-8CEB-C45D1729050B} {CAB085B1-5234-464E-9F52-C0766BDC4E32} 2960
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{31D77588-63B8-40D6-9400-E6BA4118C858} {732E50F7-3543-40FA-B658-53D83257B574} 1672
        6⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000005A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6459758,0x7fef6459768,0x7fef6459778
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:2
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1572 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1456 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:2
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2264 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3732 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3504 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1356,i,956163695998008179,10779169864358276373,131072 /prefetch:8
  2⤵
  PID:2536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f764d3c.rbs

Filesize
17KB

MD5
5527e7d9a404c1f8f7974bd3074b433b

SHA1
6369848866a351752e737808996a451bb0e50de9

SHA256
58dd13adc628736a0c411544f5bd1e6b011ca81afa4c859c1b8d8f488412f797

SHA512
a80f87343a178e0aa7402b173f5d16bc6a79d68f5ba8821d61b71bf9d61fa17ed6ff7ab87753f75b9691cf599a8a376b0dbf97c498e0b2039c5ff1134b4aae85

Download Submit
C:\Config.Msi\f764d48.rbs

Filesize
16KB

MD5
07efb92174ecfefc20cc880d07b04b51

SHA1
c615fd57a707f83ce45d7dd9cb98f08464d7f6e9

SHA256
e9b7d899877d5e2185a354333ccf2e237d08109369ef71ffe53b1a50ad747afe

SHA512
c87c87242c7f710a3ff8849d9a6508d75dd4784ce1f47f8f83d1771ef24f2ba6c2978e199a39424e5a81b9c9c3aca4d4f68c46e80bde7427628413969821e38c

Download Submit
C:\Config.Msi\f764d50.rbs

Filesize
18KB

MD5
e095fb26357a2bbf67b2d4dda19d62d6

SHA1
03f80237bccd94a3164ed8cb8ca8f016972a63a5

SHA256
13d96f4e3db672546885fb246432b17a19fa49630d3c7b703586c88adc50a6eb

SHA512
bef6023d328c7c7da20f27a79437b5ef32de8b3c77bc57b2ac803627c8e70d6d865179c0a180cd2adf948893b6533631c209198086f2130ea96db70567879822

Download Submit
C:\Config.Msi\f764d5f.rbs

Filesize
17KB

MD5
76318a65b9a74081c076847b3128488f

SHA1
a89580f64db919a5251ed05cfdb29cf2a0251ba2

SHA256
928a29c38f1601080c0855db7128974045722b41dd5c8fdfef5b53315044a197

SHA512
bb61804386922a9c1ef20386e14a6ed0f3015693750aff12c641b1988aaa6065e0abc075c95cfbb84cea6a7e12a428be3b36c1ce3ed6ba9773fc35642505e9c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92d9d2d40d0732f30cf99ad2714a3052

SHA1
af30f470715fea9e017f1a962be2fdd3d3356f1a

SHA256
233bb455b018baa8da2753b417aba3b2b37e970d06cfd77def72140eb0a312f4

SHA512
f36482bd3679d22c4d11b621960c1a1f03b05d99dc32782446b3db22a8b7b781b76dd7b1160b7ef80c6a33c4c712e429ca966424feab1d8877ad190a7c431556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d6265e06fa707d419c7f9208aff3074b

SHA1
a7a00c39025ec40766e1d2a8d7c5dcb610d35751

SHA256
1422917b9b8cd935b3f41874f422955e8b03f93c70fed2783c18349661694aa7

SHA512
da7ea1686acfacba68b9bf9c2832576cebe3a4d9641102d4da0f32b17db6d279b4d9b604b76cba5fc31fa4dbc3a28d924acdee0c2c639dde2d75864f3f91d180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
af64ea788bba47721e0ad451f0a7e240

SHA1
7e1bdb3d3b2f6d98bebbe40ec4a0417bc8855ce3

SHA256
4087025b7712e27f5d12ff7ffe9496dc45410df376ed48b104f5e1e0c9e528a3

SHA512
45f601fa979fe2e7b4521e9938f72c37039a2a8588e8ef586d2c6e5a9d5fa896cf12dcc5cbe0861bb4537764e0d5423c5a83aff3144c2e2ee570a6db8f7eca47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4D86.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4D99.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar512B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240601183241_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
5c21b049c87518851c18479ab3ea5a89

SHA1
fb1e1c22088e6f520cb8a61c6ad9ae5420bcb568

SHA256
7c119ab9dbf506d3ee01fdfa1d3b76ffb86d7a5d80dfe4941cc473475141c635

SHA512
ce31f9dfa216c1d5e6732a37e5da7b51472e6c2297383a428fe7963ce2074d8479cabfb2c4597e2bbd08d521f2c7af909d6e81eeabf853f82b80b9a0b72b11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240601183241_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
1dfba9230bd87a51cb21a34a6dea119c

SHA1
289d742d2fea9c5f98d0cde9fb0130de65341949

SHA256
666757eb4b75cb044ac2a6c879172d1e64d930e7b524d19756c9896671710fc7

SHA512
80d2206c65b33807348de6a4c6ec36ee54cc91cb11ecfc612f3b53810ff1e3a826ec8030ac51a3ad8415808d726bf4a3c241390551c94b99ded5c05542b80c67

Download Submit
C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
329c8d1b62572eb1700e2af8d3bee3da

SHA1
16471f921d6441f43d218eb09736cd405d5bd01a

SHA256
3932fad36e08593c01333db8690658272e22fb69371b15099e4d7e619677bbf1

SHA512
f2d58741f2bfed336b945a8d15a858e844fe212b70af5f7c8993237ab3f0ecb3e0501d2366aef272fc086fc6a94aeba4838e526a7999f32c90dd505b22dc0e0f

Download Submit
\Windows\Temp\{6BCF73C4-D814-41A4-892F-8DB0D1013FAF}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{C9B41334-6DF6-4363-A9A1-216C764AEF68}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
memory/1296-418-0x00000000010E0000-0x0000000001157000-memory.dmp

Filesize
476KB

Download
memory/1672-417-0x00000000010E0000-0x0000000001157000-memory.dmp

Filesize
476KB

Download
memory/2880-380-0x00000000010E0000-0x0000000001157000-memory.dmp

Filesize
476KB

Download