92638a7c733b36df5a859ed1c3b94be1b5d82753749c13b0184f72cbae0895d6

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jamovi-2.5.5.0-win-x64.exe
Size

325.6MB
MD5

c7b191ca9b8a0f27dd50d7c6e24a4bdf
SHA1

ead5c7aa3fc314be017d154c44ac10509eea55d0
SHA256

92638a7c733b36df5a859ed1c3b94be1b5d82753749c13b0184f72cbae0895d6
SHA512

17926317c1dd0f15b753fe8830d5a457818ccd5136dd0d693a62804acd31f08a38fac3a2c16f16526340a7a3be3fc4ab1d38d9f17644405bcd86a29777f04bf0
SSDEEP

6291456:EcwVVjA5CpyUw6dKqPQnc6edNaok9EkynxSq03HuRURTwvcLP:Ecwr/pyleYnc6edNaokakynuum0cT

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2772	VC_redist.x64.exe
1940	VC_redist.x64.exe
2888	VC_redist.x64.exe

Loads dropped DLL 8 IoCs

pid	Process
1976	jamovi-2.5.5.0-win-x64.exe
1976	jamovi-2.5.5.0-win-x64.exe
1976	jamovi-2.5.5.0-win-x64.exe
1976	jamovi-2.5.5.0-win-x64.exe
2772	VC_redist.x64.exe
1940	VC_redist.x64.exe
1940	VC_redist.x64.exe
2620	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2088	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Fort_Nelson	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Atlantic\St_Helena	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Canada\Mountain	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\demos\cscroll.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\ttk\vistaTheme.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\include\tclTomMathDecls.h	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\lang\pl.rc	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Etc\GMT0	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Asia\Kuwait	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Asia\Magadan	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\encoding\iso8859-4.enc	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\encoding\macCyrillic.enc	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Pacific\Apia	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\library\MASS\Meta\data.rds	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\images\open.gif	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\images\warning.gif	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\GMT+0	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Japan	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Africa\Bissau	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Argentina\Cordoba	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\demos\image2.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\library\MASS\Meta\features.rds	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\include\tdbcDecls.h	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\BWman\TitleFrame.html	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\SystemV\CST6CDT	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\doc\manual\R-exts.pdf	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Australia\Tasmania	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Etc\GMT-4	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Etc\UTC	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Pacific\Wallis	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\optMenu.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\BWman\ScrolledWindow.html	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Antarctica\Palmer	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\images\italic.gif	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Knox_IN	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\La_Paz	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Indiana\Indianapolis	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\include\tdbcInt.h	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\BWman\options.htm	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Asia\Oral	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tdbcodbc1.1.5\pkgIndex.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\demos\tcolor	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\ttk\panedwindow.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\doc\README.Rterm	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\BWidget\pkgIndex.tcl	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Africa\Lubumbashi	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\encoding\cp437.enc	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\encoding\gb12345.enc	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Jamaica	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Guadeloupe	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Australia\LHI	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Europe\Kirov	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\bin\tcl86.dll	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8\8.5\tcltest-2.5.5.tm	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\doc\COPYING	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\US\Michigan	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tk8.6\demos\images\gray25.xbm	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Asia\Amman	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\Canada\Newfoundland	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\library\MASS\Meta\hsearch.rds	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\St_Johns	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Argentina\Jujuy	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\CET	jamovi-2.5.5.0-win-x64.exe
File created	C:\Program Files\jamovi 2.5.5.0\Frameworks\R\Tcl\lib\tcl8.6\tzdata\America\Belize	jamovi-2.5.5.0-win-x64.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI94A.tmp	msiexec.exe
File created	C:\Windows\Installer\f790302.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7902f1.ipi	msiexec.exe
File created	C:\Windows\Installer\f790305.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7902ee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7902f1.ipi	msiexec.exe
File created	C:\Windows\Installer\f790318.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f790305.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1013.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI10E0.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File created	C:\Windows\Installer\f7902ee.msi	msiexec.exe
File created	C:\Windows\Installer\f790301.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f790302.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\PackageCode = "1688782943A356649B2B29F7077E1BE1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{19AFE054-CA83-45D5-A9DB-4108EF4BD391}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\VC_Runtime_Additional	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Provider	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33135.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\PackageCode = "F31F6C1FFC7AAFF4D8FF3C825AB567E9"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}v14.38.33135\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165}	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Version = "237404527"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Servicing_Key	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe
2088	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1976	jamovi-2.5.5.0-win-x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	1712	vssvc.exe
Token: SeAuditPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeRestorePrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeLoadDriverPrivilege	2040	DrvInst.exe
Token: SeShutdownPrivilege	2888	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2888	VC_redist.x64.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeSecurityPrivilege	2088	msiexec.exe
Token: SeCreateTokenPrivilege	2888	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	2888	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	2888	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2888	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	2888	VC_redist.x64.exe
Token: SeTcbPrivilege	2888	VC_redist.x64.exe
Token: SeSecurityPrivilege	2888	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	2888	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	2888	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	2888	VC_redist.x64.exe
Token: SeSystemtimePrivilege	2888	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	2888	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	2888	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	2888	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	2888	VC_redist.x64.exe
Token: SeBackupPrivilege	2888	VC_redist.x64.exe
Token: SeRestorePrivilege	2888	VC_redist.x64.exe
Token: SeShutdownPrivilege	2888	VC_redist.x64.exe
Token: SeDebugPrivilege	2888	VC_redist.x64.exe
Token: SeAuditPrivilege	2888	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	2888	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	2888	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	2888	VC_redist.x64.exe
Token: SeUndockPrivilege	2888	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	2888	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	2888	VC_redist.x64.exe
Token: SeManageVolumePrivilege	2888	VC_redist.x64.exe
Token: SeImpersonatePrivilege	2888	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	2888	VC_redist.x64.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe
Token: SeTakeOwnershipPrivilege	2088	msiexec.exe
Token: SeRestorePrivilege	2088	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1940	VC_redist.x64.exe
1976	jamovi-2.5.5.0-win-x64.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 1976 wrote to memory of 2772	1976	jamovi-2.5.5.0-win-x64.exe	31
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 2772 wrote to memory of 1940	2772	VC_redist.x64.exe	32
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 1940 wrote to memory of 2888	1940	VC_redist.x64.exe	33
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 2888 wrote to memory of 660	2888	VC_redist.x64.exe	39
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 660 wrote to memory of 2620	660	VC_redist.x64.exe	40
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41
PID 2620 wrote to memory of 1404	2620	VC_redist.x64.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\jamovi-2.5.5.0-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jamovi-2.5.5.0-win-x64.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files\jamovi 2.5.5.0\VC_redist.x64.exe
  "C:\Program Files\jamovi 2.5.5.0\VC_redist.x64.exe" /install /passive /norestart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Temp\{03CCA870-3EEF-4433-9C06-BC04DBAA5805}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{03CCA870-3EEF-4433-9C06-BC04DBAA5805}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Program Files\jamovi 2.5.5.0\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{586D6ACB-5F35-4473-B0EF-9E91829A7F4A} {CC2AE795-E17C-4DEA-B283-62136D66DB86} 1940
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=500 -burn.embedded BurnPipe.{47385554-96AB-4028-814D-DBD202BDC453} {AC7564D3-6405-4556-A2F3-25C93A4B2509} 2888
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=500 -burn.embedded BurnPipe.{47385554-96AB-4028-814D-DBD202BDC453} {AC7564D3-6405-4556-A2F3-25C93A4B2509} 2888
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E5BB1F6F-1535-4202-9D8B-ADF91753F422} {82141247-35C3-4032-A38E-0EA4086DA554} 2620
        7⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000048C" "00000000000005B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7902f4.rbs

Filesize
17KB

MD5
7d4e47c999c6091e2455aa8029e02a5d

SHA1
02453e94d1d2cd100feee514227d451681a0fafc

SHA256
a022897e677cc895af7ab6f6f023ac809767afed243bb085a943c15209dc333c

SHA512
7835d2cbfd043caeac0eb6861a82886f6a16938027699bb07afa016210a8e0bed730f442d3acc9dff20ad270ee3ff416afabf03b9610c30195f160c95f321f83

Download Submit
C:\Config.Msi\f790300.rbs

Filesize
16KB

MD5
a7a196a717734f4cdaf2ca36e0db5e5e

SHA1
00e0ba5e7ab54f1be0da0d227cc3e07c80ccf247

SHA256
5eca28abfd21f9fe18fb3e63ad19716c7992fc56ee83afc33fca45214da76246

SHA512
efb36fb519505ac3296af2bdde8eec8b6f0d8647cecf3c14b77fb96422f0335ac1da5d5d37c3d93312dc935738366bfa22acf74090043e78d7b6b783a69bc11f

Download Submit
C:\Config.Msi\f790308.rbs

Filesize
18KB

MD5
7637a72e85515b265fc1602a8c7daab1

SHA1
65bb702838139bab056756413660841e3b299e12

SHA256
78094f88409c909371aa75911e12e8b020dffe28f5d264dbafb6298a21a7acbf

SHA512
7cc9c59d3a4f5fff3c4556ae295d782edb45e7bbedc37d93f0f20475036e6b4a1cb3ce2fdb8da00ad4ff91081c3e9ba89c2c4f6860aefb0eb2ff50619bf681be

Download Submit
C:\Config.Msi\f790317.rbs

Filesize
17KB

MD5
a22865022c43bcf500dd197e0cc2f509

SHA1
38fe7374905129c6867b54e74039ef5e2b3b631e

SHA256
04a325f69c2b471123584205fd56198faba11d0f34ad402523858c8e49f5a93a

SHA512
1d9d175acba939fc2c89a6a29ea9d826f2ac9a79ca26467379d040a9c0e55f833d2c4adb2a349451d01f4fbc7c7bd61215db03ed1c79f5ca8f276f0c3e4a7708

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0357629e1c2d1dc6092290e075ef4d12

SHA1
7889e1dbbb60bf74ee3fe488959a6d083e6b90ea

SHA256
bf6a3db5e2b6130c6b4d2782cd84f7ce31b08f1d713696132225a6b68f3104e8

SHA512
7c22208de8d7a1aeae5f0bc0e8857feeae41c81e5657a00e48e3af8c8d811ceccfc2c536eab5d9e72b4a7be3bac4d1403210f8c218ecf23b778e7248348d4b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar331.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240719052956_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
4515db6104d8536ab29e6550d033a533

SHA1
2c282d98b5a567c4ea4cd6bc65e173dd3bff434a

SHA256
0da51ecb2c80b7862321f0aa733ca6adb0673012b73194722adb68d2ba9ab119

SHA512
4e824c4b33ca973d84904276a72e343a181c15901653e1280cc84d25e1f415478165d341890e10ff402626bc6dbe70685641609721a951c77429a70f97bc72e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240719052956_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
fbb6b55c45532f28da246db5edb4ded7

SHA1
34a08c97c8f8ea7e0c811427ba7553591611a66e

SHA256
60fbce7d927b549b367f888e32adae7d0ff7acf054a92b8fe78e95b8fb6cc889

SHA512
ae99d070badc9ee049be2bc02c2c7039d74847d91f00630796242738994688f9686af2f7bb5b0e96b6bd1e7684b408fdcf64468c41f976d63a7d68352c88c0cf

Download Submit
C:\Windows\Temp\{03CCA870-3EEF-4433-9C06-BC04DBAA5805}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
b73be38096eddc4d427fbbfdd8cf15bd

SHA1
534f605fd43cc7089e448e5fa1b1a2d56de14779

SHA256
ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

SHA512
5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

Download Submit
C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d0cbbe859fbb7c25dd5158e0f45d3682

SHA1
9c2f0b8379976fda1b46aa8c4a4a27b6f824b659

SHA256
97aef328363e120e786841903bb51a17547aa84f64d5d3525940ec5a69b9a627

SHA512
7ad84ae54668c07033ad100bc101fd0bf0b0783a1dd1f018d241097e167328b8e87cc15e4c0b45859e1946d41ef7528f46ca3c44deccd8859f11274d9e4189b6

Download Submit
C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\cab5046A8AB272BF37297BB7928664C9503

Filesize
955KB

MD5
3d14b0e254ea96fef419e6da38eb25e4

SHA1
93341ef98a0e2ae2cccc7e467af23bcc477d9a5c

SHA256
8717dc81d0345d8b81aa85e776fd3e0e6010dba974bf0f5660071e6d680c4526

SHA512
64a656648c16aa78ed74196e327126f6a9eb5d89052cdcd8f83eb655842e41c4f42be7f61541371f36ce322d208d1d707f485e99a79aa799fad7fd2c51553811

Download Submit
C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
d5a907e3b279f26804af0c56b0c65d52

SHA1
63bf7f0afd12ef21781dc14dd3b14c59d9e66518

SHA256
401ffa2ef4f070e211ef3f6e4f8a2a7af2bc9ea0119bbacad040669ab6221bba

SHA512
8d23fed4d26f0e2d1e40d5993ab2f588be1e7873cbcbe2064351ca8ef705bf74535225e9d0c2adf93fabfd45691077c7abb3991a013c8b4b234b9751c991f327

Download Submit
C:\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
e312d6be7dee2b8f3737e0a1bc92e3aa

SHA1
72487572a3f8b8eff93489997c8a5041ea7a6867

SHA256
d48c8e848a219bceb638b2505132756cb908703fe75dee78bdf475435420dc49

SHA512
b39a0c18aa242887e3f9ae3d49bc9d6765ce15097718964cccd86b824d13481cbd53175105db29d17e3a08f74fe4d20dfb3f9989eca5276c3f5fbb255b80f8ae

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
caa36ec7ff6ed896a7c3a9afeecee0a8

SHA1
8deab53344cbbedeea24deeb9c322cd4997cc642

SHA256
7aeab1ec8e8b90ddcee1521142e6c5b6a3c977f7c246398c053f1b2b19796fca

SHA512
399216177f73399e1b0d4edf44a459f2b8e79af955e9ef50d3fd3551b74362d28da2e45fd1802510744ae458e5767f8e234b97db52a3faf28bb4bb320b98416d

Download Submit
\Program Files\jamovi 2.5.5.0\vc_redist.x64.exe

Filesize
24.2MB

MD5
a8a68bcc74b5022467f12587baf1ef93

SHA1
046f00c519900fcbf2e6e955fc155b11156a733b

SHA256
1ad7988c17663cc742b01bef1a6df2ed1741173009579ad50a94434e54f56073

SHA512
70a05bde549e5a973397cd77fe0c6380807cae768aa98454830f321a0de64bd0da30f31615ae6b4d9f0d244483a571e46024cf51b20fe813a6304a74bd8c0cc2

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF346.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF346.tmp\UserInfo.dll

Filesize
4KB

MD5
d458b8251443536e4a334147e0170e95

SHA1
ba8d4d580f1bc0bb2eaa8b9b02ee9e91b8b50fc3

SHA256
4913d4cccf84cd0534069107cff3e8e2f427160cad841547db9019310ac86cc7

SHA512
6ff523a74c3670b8b5cd92f62dcc6ea50b65a5d0d6e67ee1079bdb8a623b27dd10b9036a41aa8ec928200c85323c1a1f3b5c0948b59c0671de183617b65a96b1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF346.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
\Windows\Temp\{7F7324A0-A19B-4846-B01C-3484CA384633}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/660-419-0x0000000000F80000-0x0000000000FF7000-memory.dmp

Filesize
476KB

Download
memory/1404-381-0x0000000000F80000-0x0000000000FF7000-memory.dmp

Filesize
476KB

Download
memory/2620-418-0x0000000000F80000-0x0000000000FF7000-memory.dmp

Filesize
476KB

Download