5280d23c881a12ef908b17cccab1c1d16876d6d930fddc26bffd8535e612028e

Analysis

max time kernel
108s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MiniMeters-Setup-0.8.8.exe
Size

28.2MB
MD5

11757c809c28ec54cc3d7973e142d4a2
SHA1

138a36b6fe36726a769c5021a5a6e31a14a1024e
SHA256

5280d23c881a12ef908b17cccab1c1d16876d6d930fddc26bffd8535e612028e
SHA512

ce4126e700f81e27c72455ca47e877a41a8a11edcc7b8c655f5eb63c9486da56adaa56ac76c80765d46a1c097c1cfa85231452f8aa593499c92d7b732d75d289
SSDEEP

786432:YsAaQfZPG50jBk/bzL/DMia2MAtKjjhNtUyu6As7BcpLBiO:YsAaQfhGeVk/fLLla2Vt8N6yu6As7Opx

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe

Executes dropped EXE 4 IoCs

pid	Process
3644	MiniMeters-Setup-0.8.8.tmp
3568	vc_redist.x64.exe
1844	vc_redist.x64.exe
4408	VC_redist.x64.exe

Loads dropped DLL 2 IoCs

pid	Process
1844	vc_redist.x64.exe
212	VC_redist.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MiniMeters\MiniMeters.exe	MiniMeters-Setup-0.8.8.tmp
File opened for modification	C:\Program Files\MiniMeters\libssl-3-x64.dll	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\unins000.dat	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\is-TSRVC.tmp	MiniMeters-Setup-0.8.8.tmp
File opened for modification	C:\Program Files\MiniMeters\SDL2.dll	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\is-OD8M3.tmp	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\Common Files\VST3\MiniMetersServer.vst3\Contents\x86_64-win\is-CFOM9.tmp	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\Common Files\CLAP\is-7CG2D.tmp	MiniMeters-Setup-0.8.8.tmp
File opened for modification	C:\Program Files\MiniMeters\libcrypto-3-x64.dll	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\is-UFNFR.tmp	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\Common Files\VST3\MiniMetersServer.vst3\Contents\x86_64-win\is-GLFN3.tmp	MiniMeters-Setup-0.8.8.tmp
File opened for modification	C:\Program Files\MiniMeters\unins000.dat	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\is-BEU9B.tmp	MiniMeters-Setup-0.8.8.tmp
File created	C:\Program Files\MiniMeters\is-D5ER6.tmp	MiniMeters-Setup-0.8.8.tmp

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e590b51.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1873.tmp	msiexec.exe
File created	C:\Windows\Installer\e590b79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1526.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e590b63.msi	msiexec.exe
File created	C:\Windows\Installer\e590b64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e590b64.msi	msiexec.exe
File created	C:\Windows\Installer\e590b51.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID64.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CF4C347D-954E-4543-88D2-EC17F07F466F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MiniMeters-Setup-0.8.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MiniMeters-Setup-0.8.8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5ff6f19a5757d540000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d5ff6f190000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5ff6f19000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5ff6f19000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d5ff6f1900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "155"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\ = "{d4cecf3b-b68f-4995-8840-52ea0fab646e}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{CF4C347D-954E-4543-88D2-EC17F07F466F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Version = "237141179"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31931"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Version = "237141179"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\VC_Runtime_Minimum	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC\Provider	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3644	MiniMeters-Setup-0.8.8.tmp
3644	MiniMeters-Setup-0.8.8.tmp
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe
1052	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe
Token: SeShutdownPrivilege	4408	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4408	VC_redist.x64.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeCreateTokenPrivilege	4408	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	4408	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	4408	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	4408	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	4408	VC_redist.x64.exe
Token: SeTcbPrivilege	4408	VC_redist.x64.exe
Token: SeSecurityPrivilege	4408	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	4408	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	4408	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	4408	VC_redist.x64.exe
Token: SeSystemtimePrivilege	4408	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	4408	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	4408	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	4408	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	4408	VC_redist.x64.exe
Token: SeBackupPrivilege	4408	VC_redist.x64.exe
Token: SeRestorePrivilege	4408	VC_redist.x64.exe
Token: SeShutdownPrivilege	4408	VC_redist.x64.exe
Token: SeDebugPrivilege	4408	VC_redist.x64.exe
Token: SeAuditPrivilege	4408	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	4408	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	4408	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	4408	VC_redist.x64.exe
Token: SeUndockPrivilege	4408	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	4408	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	4408	VC_redist.x64.exe
Token: SeManageVolumePrivilege	4408	VC_redist.x64.exe
Token: SeImpersonatePrivilege	4408	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	4408	VC_redist.x64.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3644	MiniMeters-Setup-0.8.8.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4672	LogonUI.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3644	1936	MiniMeters-Setup-0.8.8.exe	86
PID 1936 wrote to memory of 3644	1936	MiniMeters-Setup-0.8.8.exe	86
PID 1936 wrote to memory of 3644	1936	MiniMeters-Setup-0.8.8.exe	86
PID 3644 wrote to memory of 3568	3644	MiniMeters-Setup-0.8.8.tmp	100
PID 3644 wrote to memory of 3568	3644	MiniMeters-Setup-0.8.8.tmp	100
PID 3644 wrote to memory of 3568	3644	MiniMeters-Setup-0.8.8.tmp	100
PID 3568 wrote to memory of 1844	3568	vc_redist.x64.exe	101
PID 3568 wrote to memory of 1844	3568	vc_redist.x64.exe	101
PID 3568 wrote to memory of 1844	3568	vc_redist.x64.exe	101
PID 1844 wrote to memory of 4408	1844	vc_redist.x64.exe	103
PID 1844 wrote to memory of 4408	1844	vc_redist.x64.exe	103
PID 1844 wrote to memory of 4408	1844	vc_redist.x64.exe	103
PID 4408 wrote to memory of 3036	4408	VC_redist.x64.exe	112
PID 4408 wrote to memory of 3036	4408	VC_redist.x64.exe	112
PID 4408 wrote to memory of 3036	4408	VC_redist.x64.exe	112
PID 3036 wrote to memory of 212	3036	VC_redist.x64.exe	113
PID 3036 wrote to memory of 212	3036	VC_redist.x64.exe	113
PID 3036 wrote to memory of 212	3036	VC_redist.x64.exe	113
PID 212 wrote to memory of 4180	212	VC_redist.x64.exe	114
PID 212 wrote to memory of 4180	212	VC_redist.x64.exe	114
PID 212 wrote to memory of 4180	212	VC_redist.x64.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.8.exe
"C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\is-4V147.tmp\MiniMeters-Setup-0.8.8.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4V147.tmp\MiniMeters-Setup-0.8.8.tmp" /SL5="$5029E,28772797,831488,C:\Users\Admin\AppData\Local\Temp\MiniMeters-Setup-0.8.8.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\is-G3NB9.tmp\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\is-G3NB9.tmp\vc_redist.x64.exe" /install /passive /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\Temp\{52D90916-A9B8-45D1-BF84-3EF7497CE2AB}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{52D90916-A9B8-45D1-BF84-3EF7497CE2AB}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-G3NB9.tmp\vc_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /install /passive /q /norestart
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{71DC3ABD-D12E-48D8-801D-732418045DFC} {E3D7496D-371D-4981-820C-62C56B75C4F6} 1844
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1084 -burn.embedded BurnPipe.{0B8E6207-28E4-4A0B-AE52-348454BA51BE} {FDA0D13C-C963-44C3-BFEB-82BF4A0C3AE0} 4408
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1084 -burn.embedded BurnPipe.{0B8E6207-28E4-4A0B-AE52-348454BA51BE} {FDA0D13C-C963-44C3-BFEB-82BF4A0C3AE0} 4408
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{88FCB5DD-93B8-4712-8F8D-EAE47805CF8D} {B258FDF3-D43C-40B1-BF04-88803C1CA671} 212
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3925855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e590b56.rbs

Filesize
19KB

MD5
dd6331ac7f77f9c1e52caac44b7e1e70

SHA1
424987610a5c839555db598fd2b19e50baec20aa

SHA256
3a8c1b584685cb66035c172814f841afa480014dec87c3fcaafbb54ae3aa2981

SHA512
795859be17679c04567c5cb09392ed6e8c5717bcb07d564eb314c34079478da1d7855010883eec4e4c7d827c319beb50ad284684012328eb879013b669ede36f

Download Submit
C:\Config.Msi\e590b62.rbs

Filesize
19KB

MD5
4d3108b89e7e9d8c84356f0875cea967

SHA1
0fce47c586e8694665ba6f351988f3bdfca4a8bc

SHA256
1f95ade5f5b943da6db5132bc37ac3fec300b1623c8f1f698dbf23a733bb45f8

SHA512
d152fece6f9c30fe9201ebb42b247d748c7ff0387f59b5f039eeaf4ac41d8e31f0eaff34463cd333b8a79b9d753e8a4a33027f62dae54754eba0a74a9356ea3b

Download Submit
C:\Config.Msi\e590b69.rbs

Filesize
21KB

MD5
12403411c369775335dc4e90e1206a9a

SHA1
6496584addfab9156c675c6b0af410261f91cb9e

SHA256
52b7b142a3f85f38cac7ce8913c57b5e522d262fb7a75375824ae8eccfa9677b

SHA512
c71e9a6991cbc78328d1dc1aab44d94709fdfec6078fd31dee206918e54df00947a2dceb78344b0857090b683a3d245c08467db4257094b763db7a12848afd9f

Download Submit
C:\Config.Msi\e590b78.rbs

Filesize
21KB

MD5
2915f4d2b814550087d7ae29cdfa6130

SHA1
6bdc0c19401ee19478110309295f2b24563a2fc4

SHA256
7697e304bdb074744a23052d7a7fd27a0aee1c685fe039d37fd0468142b1739e

SHA512
11a9c8fdb07b613564bf3ac44f849f5794f9f21a76aa9fa6d16295f97a149cf437696193dc889e4ebfc5bc3eaac34567f23aa779ee2e5b897e6c3b918f3bd874

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240725104305_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
5ddf47e34f1a316d07277d2376aa22ea

SHA1
5564d7106368507ee45447964964b8c48443afa8

SHA256
1d60e3765fedf3c14629e19fd94b4049bb01bad77d6c1d6ed2a1853ac1a1a564

SHA512
531544f82544d9072f262ac1cff8ff7d7e657e1c98deb72790547329e4891f4e06a75a7f6b4920f0f3fa726c7a0a7e2bd2fdf5e470de5e4a5ebae503df687080

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240725104305_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
2812109906bc90f2cfe27e3e2a7896d9

SHA1
a2fb98891e53a305252dfc2d0ba937f03999cb6f

SHA256
92effe245c176e2bb6174cbcfd36a71167ef6ac9641e93c37ceedb990dfd85ae

SHA512
0dc5dd9664032cac994bdc88980b4a857ef83269cd849cf05ccbbd1f490c1c63411eaaa462673f1182c99313ccdc667e775db2853af470893be9fa842f64b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4V147.tmp\MiniMeters-Setup-0.8.8.tmp

Filesize
3.0MB

MD5
796fd22a1f17d71c12028c828be5bef2

SHA1
5a6b743443f4137bb57f98abea408c4df6a9498d

SHA256
f3d3116bee51a6d81d7ca9034dbd28ba7fac642f370f6191f2369cfb839b9bef

SHA512
7cce31394495a2d99aae15eb0c2ca61951117f1b3d9b2c40d9f1e4ee64c0627c20be809258e2d7ab2e0f254f17f56392366cf919483d2a5f72fe654dd1003eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G3NB9.tmp\vc_redist.x64.exe

Filesize
24.3MB

MD5
703bd677778f2a1ba1eb4338bac3b868

SHA1
a176f140e942920b777f80de89e16ea57ee32be8

SHA256
2257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9

SHA512
a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041

Download Submit
C:\Windows\Temp\{52D90916-A9B8-45D1-BF84-3EF7497CE2AB}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
848da6b57cb8acc151a8d64d15ba383d

SHA1
8f4d4a1afa9fd985c67642213b3e7ccf415591da

SHA256
5a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12

SHA512
ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
62bc0f466e65d9219281cf75c8f91380

SHA1
0826a1591b81acf0fe30d58e19b0a87df2a49a3e

SHA256
534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3

SHA512
17713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\cab5046A8AB272BF37297BB7928664C9503

Filesize
914KB

MD5
45c9c674c0ba87f57168d6ab852e9641

SHA1
73ace24362f14dc58d4099dae6e4e62902e9e950

SHA256
d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76

SHA512
5bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\vcRuntimeAdditional_x64

Filesize
180KB

MD5
c214a9e931bbdd960bb48ac1a2b91945

SHA1
a640c55dd522e01d0be4307a5eee9a40f779a6cc

SHA256
1dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11

SHA512
d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933

Download Submit
C:\Windows\Temp\{EA897398-6CB3-4B81-97AE-9BDD35A6594D}\vcRuntimeMinimum_x64

Filesize
180KB

MD5
df77fc41aa2f85ca423919e397084137

SHA1
5b87cd2dfb661df49f9557e2fc3b95c7833c9b0b

SHA256
51b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2

SHA512
a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2

Download Submit
memory/212-287-0x0000000000010000-0x0000000000087000-memory.dmp

Filesize
476KB

Download
memory/1936-8-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1936-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1936-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/1936-332-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3036-288-0x0000000000010000-0x0000000000087000-memory.dmp

Filesize
476KB

Download
memory/3644-9-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3644-6-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3644-46-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3644-329-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/3644-331-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4180-250-0x0000000000010000-0x0000000000087000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads