Malware Analysis Report

2025-04-14 02:42

Sample ID 240603-jw856sgf6v
Target 17506052855.zip
SHA256 51f00433ddd1ab817cab9923e841027f949db94fa0ae04f5d5adc9586002c9a9
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

51f00433ddd1ab817cab9923e841027f949db94fa0ae04f5d5adc9586002c9a9

Threat Level: Likely malicious

The file 17506052855.zip was found to be: Likely malicious.

Malicious Activity Summary

execution

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Drops file in Program Files directory

Executes dropped EXE

Drops file in Windows directory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 08:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 08:02

Reported

2024-06-03 08:05

Platform

win7-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\H: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\I: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\L: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\R: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\Z: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\V: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\X: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\W: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\U: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\Windows Defenderr\vc.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\Windows Defenderr\vc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defenderr\vc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\cc.xml C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI4CAF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5104.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SystemTemp\pss5238.ps1 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f764885.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48D3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4C6F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\msi5235.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI4C5F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5192.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\scr5236.ps1 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A4A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\scr5237.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SystemTemp\Pro5239.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\f764888.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f764885.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4B06.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764888.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 705295708cb5da01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 2064 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2064 wrote to memory of 1520 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2452 wrote to memory of 1900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1900 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1900 wrote to memory of 852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 852 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defenderr\vc.exe
PID 536 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defenderr\vc.exe
PID 536 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defenderr\vc.exe
PID 536 wrote to memory of 1644 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defenderr\vc.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000598"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F3525796222729E933869F1B3843B218

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4D77.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4D74.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4D75.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4D76.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DBC9D01589302793DFC0A8354E620EA4 M Global\MSI0000

C:\Windows\system32\taskeng.exe

taskeng.exe {86084E34-9A18-450B-95AC-A5EB7FB48FF4} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss5238.ps1" -propFile "C:\Windows\SystemTemp\msi5235.txt" -scriptFile "C:\Windows\SystemTemp\scr5236.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr5237.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath "C:\Program` Files\Windows` Defenderr"

C:\Program Files\Windows Defenderr\vc.exe

"C:\Program Files\Windows Defenderr\vc.exe"

Network

Country Destination Domain Proto
HK 38.207.178.221:6666 tcp
HK 38.207.178.221:6666 tcp
HK 38.207.178.221:8888 tcp
HK 38.207.178.221:6666 tcp

Files

C:\Windows\Installer\MSI48D3.tmp

MD5 ee45c6dffaf86ed2a76d8f969c390c08
SHA1 ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256 118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512 a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

C:\Windows\Installer\MSI4C6F.tmp

MD5 fa6cf27d72756d6a0794c65d1133befa
SHA1 90949a22d68347f6834c581abc88faf63e7cb8c0
SHA256 d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b
SHA512 6ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede

C:\Windows\Installer\MSI4CAF.tmp

MD5 743c67416aa1d2568679f45ef36e0179
SHA1 dc7163deb7e0d0e493f0ced46fb2fd0b29e19910
SHA256 58800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639
SHA512 f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c

C:\Users\Admin\AppData\Local\Temp\pss4D77.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

C:\Users\Admin\AppData\Local\Temp\scr4D75.ps1

MD5 7ef79aff6608fd03a304a1a87344c576
SHA1 9c57ed39cec3a1c0278ff50d536da34d55f52162
SHA256 a56cba74db063b4996549de89fec07432fb7470724ec292dab8b97e73c567c51
SHA512 36c5fd4a6d3c875cb311b8b454c39952a36146f2f000926324e0cf16c162409f49c675c575479222a7c28ce26390f473474107859073b37a1813c6aae0e617e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f3b123a03bced7f45af1e67c078d127a
SHA1 b45d2a55e6bb92b08d5baf4522ab3290ab112923
SHA256 b8f03a256c54054edbaabcae77645b8daac1f1566d926fb1bc34cc559a816717
SHA512 ff66b35c557e41c3a48562d4c67aa5f573a58773e31f44810016ff02097eeef52150e5c7dfa42bd0ef22f8772bcabe60107145db294dc1c2e4b8bab972372279

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y50LNP5532IB5UXB9PUO.temp

MD5 197b1c46f2c2f1bb3100ebf1e65d49d1
SHA1 55a2bdf8779141a92a2de65853cd818ca03e32fd
SHA256 9a10f90e465602ef3f155cebd896231e511d270ee1fe6310a327b2fd0baac431
SHA512 9f70f70308b50de882a258fe3602744693c6740d02e2b813b0abda85d1bab85dd5bbd72818097e5795fd3ca298630aa143b1736f3bc4ac77abb39808c2181eff

C:\Windows\SystemTemp\scr5236.ps1

MD5 0a4a4ecab6e633aa2b189c9fdca38f1f
SHA1 81d0d5e4f77de2c33cd72d812b7a5d3b7b02b2ad
SHA256 3e51b88f2e7f6d26e2b6b1a6403044af1d8b6c1805affee19848bf0d1b3a03e5
SHA512 ee53f855d8ca9cf72b76bde7f4cf5e674201f85095ee60f4f515e49ce12e08d5303932e364338be2d9206a37ec84e874f2f458afa36164fc7d1a35d460fd702e

C:\Config.Msi\f764889.rbs

MD5 caf51b0902c06394629f5850987af191
SHA1 970292035e324b78330b13c22bce5640f3fee087
SHA256 eeeec7e199cc58f784f998cc7f68122a8d36513d0700a111cd7ca420ac65b2ec
SHA512 6aa8091190bb873d8e5645b88126a6bd38e779334ae26ea71d30982f8f5efc80a743e2a0f46fa51b90ecc7617173059fd9f5b20ab11d21a03da170f5b884be0d

C:\Program Files\Windows Defenderr\vc.exe

MD5 c8de233601e5dd254517522a275b661c
SHA1 15eef70b3ada2b55aebd526446be9a32fd41a796
SHA256 d3449e60c02258d03b42b06c5eb0a2f759dd7b1433b565d5cd9a6be7ccc523ea
SHA512 a16d0a59029455b1b6d8d9d165b6ab10a9eb4cff2c7bdbf6738e9be6badbfa8ab12d39fa94b7b4f8705c69b56d89ea71a2c55e649f27e9c8baf35c7b50bc3cde

C:\Program Files\Windows Defenderr\cc.xml

MD5 77d8e23e5fa59f96e69b9d483d4a3a2c
SHA1 6c10cb3e89c8c1f925363e3f517129187b575cd3
SHA256 693a4c081eb1f52d5eb0659701c289f6422344777d4f00270f75fa82166b04dc
SHA512 b6ea21810586467f97af2d8e2d26aa12ad9e00283f619b768db836d705e548d309a6126ae1d036325dc903eb76f223de0ecbcbb0bdb6adaad627905fc43db7b9

memory/1644-87-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/1644-88-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1644-90-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/1644-91-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/1644-92-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/1644-93-0x0000000002850000-0x0000000002888000-memory.dmp

memory/1644-94-0x0000000002850000-0x0000000002888000-memory.dmp

memory/1644-98-0x0000000002850000-0x0000000002888000-memory.dmp

memory/1644-97-0x0000000002850000-0x0000000002888000-memory.dmp

memory/1644-100-0x00000000003D0000-0x00000000003F2000-memory.dmp

memory/1644-101-0x00000000003D0000-0x00000000003F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 08:02

Reported

2024-06-03 08:05

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defenderr\vc.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\cc.xml C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI19F7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2506.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2D34.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DA375318-4268-4282-8777-F02416BF21F8} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2EEC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\scr5897.ps1 C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\SystemTemp\scr5898.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2EDB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2FD7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI53AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI215A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59188f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI243A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI54A7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\msi5896.txt C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SystemTemp\pss58A8.ps1 C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\SystemTemp\Pro58A9.tmp C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\e59188f.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Defenderr\vc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 5208 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4112 wrote to memory of 5208 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4112 wrote to memory of 5184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4112 wrote to memory of 5184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4112 wrote to memory of 5184 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5184 wrote to memory of 4444 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5184 wrote to memory of 4444 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5184 wrote to memory of 4444 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4112 wrote to memory of 3040 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4112 wrote to memory of 3040 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4112 wrote to memory of 3040 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3040 wrote to memory of 5312 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 5312 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 5312 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5312 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5312 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5312 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e0c33d6d53bba646e05c47b4d34b3f973730ecf289da71f3e71e507fdc83682.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 0825493B5094780BF63B7BABB1C20E28

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3206.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi31F3.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr31F4.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr31F5.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2DC89D01043D0260A9A0C99A2E9E5376 E Global\MSI0000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pss58A8.ps1" -propFile "C:\Windows\SystemTemp\msi5896.txt" -scriptFile "C:\Windows\SystemTemp\scr5897.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scr5898.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command Add-MpPreference -ExclusionPath "C:\Program` Files\Windows` Defenderr"

C:\Program Files\Windows Defenderr\vc.exe

"C:\Program Files\Windows Defenderr\vc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
HK 38.207.178.221:6666 tcp

Files

C:\Windows\Installer\MSI19F7.tmp

MD5 ee45c6dffaf86ed2a76d8f969c390c08
SHA1 ff5b2942ffa7d28ed3f72208e8e76391b2991b5a
SHA256 118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca
SHA512 a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

C:\Windows\Installer\MSI2EEC.tmp

MD5 fa6cf27d72756d6a0794c65d1133befa
SHA1 90949a22d68347f6834c581abc88faf63e7cb8c0
SHA256 d058a04e0b5550db64d816485d9d25411fba27d3b9a4ef1d2dfe47e98c4a054b
SHA512 6ecc9b610325f015659c2a79deaac50f879f0261236a54c76468150f5194ae8c1a7ff284d13818908fae26ea2a2077f982e97ecc5d7264d7c77d74610ad1dede

C:\Windows\Installer\MSI2FD7.tmp

MD5 743c67416aa1d2568679f45ef36e0179
SHA1 dc7163deb7e0d0e493f0ced46fb2fd0b29e19910
SHA256 58800c0b1f916f5ac032ab6e9410d2e5d687eebc95c2955bded68ac97dacd639
SHA512 f35f5a19aa3fe6fc723b771e7199e35cff4de5ed26a5a0a86377288f9487875bbdb19231743f2a7a019642f59ab57ed7cc02e7b4b9a6ec3c11b595596aa6066c

memory/4444-41-0x0000000005060000-0x0000000005096000-memory.dmp

memory/4444-42-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/4444-43-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/4444-44-0x0000000005F80000-0x0000000005FE6000-memory.dmp

memory/4444-45-0x0000000006060000-0x00000000060C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h24iel2f.hns.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4444-51-0x00000000060D0000-0x0000000006424000-memory.dmp

memory/4444-56-0x0000000006660000-0x000000000667E000-memory.dmp

memory/4444-57-0x0000000006680000-0x00000000066CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pss3206.ps1

MD5 30c30ef2cb47e35101d13402b5661179
SHA1 25696b2aab86a9233f19017539e2dd83b2f75d4e
SHA256 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1acd0ecb-f6fe-414f-a905-822cba6123b2}_OnDiskSnapshotProp

MD5 c22f0ba074109b105e22ad8e547f976b
SHA1 fe0fcc55cf0b3b379b349ff4102cefbe28d5dc42
SHA256 acd9624f09a0a8f3839ac96031b98fb23ed13b591e155ab0dd0562bf3ec56e4b
SHA512 67a55065117c8042d0977d750f90f90f5b82e4c6aa566a86be9092c99021ff04779aab538e156e9aefb6ec94dba5ab34973596c512dd88fbc49174458a87ce62

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 909b24c42f684e9ae60a775a9b47e992
SHA1 43386bf54389e9682c76c94c8b739d3befc6647e
SHA256 34410c42496d9a48f908dd08400cec08e46a7a8e264bf5fbfa85736a5ab87e08
SHA512 bff31df8adbc303ebe1f57d1cd297804a00ccb57f6b0a778bb597c8145b13d51eea78663138b1060786cd72740baef07cb33d556b70ddac8c791e0a24355757e

memory/4444-61-0x0000000007DC0000-0x000000000843A000-memory.dmp

memory/4444-62-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

memory/4444-63-0x0000000007740000-0x00000000077D6000-memory.dmp

memory/4444-64-0x0000000007620000-0x0000000007642000-memory.dmp

memory/4444-65-0x0000000008440000-0x00000000089E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scr31F4.ps1

MD5 7ef79aff6608fd03a304a1a87344c576
SHA1 9c57ed39cec3a1c0278ff50d536da34d55f52162
SHA256 a56cba74db063b4996549de89fec07432fb7470724ec292dab8b97e73c567c51
SHA512 36c5fd4a6d3c875cb311b8b454c39952a36146f2f000926324e0cf16c162409f49c675c575479222a7c28ce26390f473474107859073b37a1813c6aae0e617e6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/5312-86-0x0000000005F80000-0x00000000062D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b2cf21debd247de77db3352db630054
SHA1 36edb0fbb5243be52215f21b1bfdd5718883930a
SHA256 c75ef663195b9834e404872b51dff7bceb6185f0047b2097f0112b596829a773
SHA512 b6f757deea3e41ad64ba946659968308375e139c6c90e683c29b4ad58653d4e0c5efe0d1eab7e63c6108847aaa6370e9a23bf28d941815ae3c3ee7539cf0062f

memory/5312-92-0x0000000006810000-0x000000000685C000-memory.dmp

C:\Windows\SystemTemp\scr5897.ps1

MD5 0a4a4ecab6e633aa2b189c9fdca38f1f
SHA1 81d0d5e4f77de2c33cd72d812b7a5d3b7b02b2ad
SHA256 3e51b88f2e7f6d26e2b6b1a6403044af1d8b6c1805affee19848bf0d1b3a03e5
SHA512 ee53f855d8ca9cf72b76bde7f4cf5e674201f85095ee60f4f515e49ce12e08d5303932e364338be2d9206a37ec84e874f2f458afa36164fc7d1a35d460fd702e

memory/2716-104-0x0000000007C20000-0x0000000007C52000-memory.dmp

memory/2716-105-0x000000006F210000-0x000000006F25C000-memory.dmp

memory/2716-115-0x0000000007020000-0x000000000703E000-memory.dmp

memory/2716-116-0x0000000007C60000-0x0000000007D03000-memory.dmp

memory/2716-117-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

memory/2716-118-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/2716-119-0x0000000007F70000-0x0000000007F7E000-memory.dmp

memory/2716-120-0x0000000007F80000-0x0000000007F94000-memory.dmp

memory/2716-121-0x0000000008070000-0x000000000808A000-memory.dmp

memory/2716-122-0x0000000007FB0000-0x0000000007FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07f74388e3d933c937ec0765e85cd209
SHA1 0f4cf8fbb6ad53ab706c74580159ef08b45a2d88
SHA256 88eb3cbe8f68b6954b6e6d50fbdbebc2a58ba61af2dcee4a0aa8fd886ff2743d
SHA512 b2b9418ad5d7bfeadaec40cf47081084c935507d18a1c44f4be519b2e3496c9a79d70478929d5003d56e0e16533a7ae24cc512295c420de7b97d2af8400ea6c7

C:\Config.Msi\e591892.rbs

MD5 4aff2c0816661d4afbeb64831a2e3377
SHA1 1ec24a65543534b2485d3d3356ec319d7956a726
SHA256 939ac01d4d54a50943426375b518ff785e531a902cc673bb947e201251815df1
SHA512 b6532fb3463c69a34fdaa3738a3abb0c0c8db697ed42c437d2fc2bb282af14ed59c9fcc760d4d32806c399d5d7b23e30ed8d98cbbc97683be9f20097110d714a

C:\Program Files\Windows Defenderr\vc.exe

MD5 c8de233601e5dd254517522a275b661c
SHA1 15eef70b3ada2b55aebd526446be9a32fd41a796
SHA256 d3449e60c02258d03b42b06c5eb0a2f759dd7b1433b565d5cd9a6be7ccc523ea
SHA512 a16d0a59029455b1b6d8d9d165b6ab10a9eb4cff2c7bdbf6738e9be6badbfa8ab12d39fa94b7b4f8705c69b56d89ea71a2c55e649f27e9c8baf35c7b50bc3cde

C:\Program Files\Windows Defenderr\cc.xml

MD5 77d8e23e5fa59f96e69b9d483d4a3a2c
SHA1 6c10cb3e89c8c1f925363e3f517129187b575cd3
SHA256 693a4c081eb1f52d5eb0659701c289f6422344777d4f00270f75fa82166b04dc
SHA512 b6ea21810586467f97af2d8e2d26aa12ad9e00283f619b768db836d705e548d309a6126ae1d036325dc903eb76f223de0ecbcbb0bdb6adaad627905fc43db7b9