d789e02dadbdc9b3ce6b1c8d1ff75f62db79650bd92de71c313bbfefe66dfe81

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AllOutInstaller(1.3.2).exe
Size

27.8MB
MD5

40c837f9a461ae78339735764e9f8bd3
SHA1

e77dfdbfacbe16021e0e89b223e415b1e8e23881
SHA256

d789e02dadbdc9b3ce6b1c8d1ff75f62db79650bd92de71c313bbfefe66dfe81
SHA512

60f550060cbaa2ec77cbe295962c6dd77c22027da84d8d42e672df1e12fbfffd3ccae1120d62f5561ce238985bdef6ce9e31a0228db2b5fae40038a2dfc3576d
SSDEEP

786432:ZZFndkFvbGcTPYe4jD1Zi+1BvGle9/b1F1/i:ZZFndkJbpTPYBjD1ZiMB716

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{D2B8B46C-3AA6-46DC-8354-40024777203E} = "\"C:\\ProgramData\\Package Cache\\{D2B8B46C-3AA6-46DC-8354-40024777203E}\\AllOutInstaller.exe\" /burn.clean.room /burn.runonce"	AllOutInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{1de5e707-82da-4db6-b810-5d140cc4cbb3} = "\"C:\\ProgramData\\Package Cache\\{1de5e707-82da-4db6-b810-5d140cc4cbb3}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1684	msiexec.exe
5	1684	msiexec.exe
7	1684	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\AllOut\All Out\licenses\sokol	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\imgui	msiexec.exe
File created	C:\Program Files\AllOut\All Out\sentry.dll	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\miniz	msiexec.exe
File created	C:\Program Files\AllOut\All Out\icon.ico	msiexec.exe
File created	C:\Program Files\AllOut\All Out\crashpad_wer.dll	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\.DS_Store	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\sentry	msiexec.exe
File created	C:\Program Files\AllOut\All Out\All Out.exe	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\picojson	msiexec.exe
File created	C:\Program Files\AllOut\All Out\licenses\cpp-httplib	msiexec.exe
File created	C:\Program Files\AllOut\All Out\crashpad_handler.exe	msiexec.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77642f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\Installer\f776415.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A9C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI709C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776418.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	AllOutInstaller.exe
File created	C:\Windows\Installer\f776401.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69CF.tmp	msiexec.exe
File created	C:\Windows\Installer\f776418.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77642c.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	AllOutInstaller(1.3.2).exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f77642b.msi	msiexec.exe
File created	C:\Windows\Installer\f77642c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776401.msi	msiexec.exe
File created	C:\Windows\Installer\f776414.msi	msiexec.exe
File created	C:\Windows\Installer\f776415.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77642f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f776404.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f776404.ipi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x64.exe
File opened for modification	C:\Windows\Installer\MSI8F94.tmp	msiexec.exe
File created	C:\Windows\Installer\f776431.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 5 IoCs

pid	Process
2892	AllOutInstaller(1.3.2).exe
2164	AllOutInstaller.exe
2212	VC_redist.x64.exe
1996	VC_redist.x64.exe
1932	VC_redist.x64.exe

Loads dropped DLL 7 IoCs

pid	Process
2072	AllOutInstaller(1.3.2).exe
2892	AllOutInstaller(1.3.2).exe
2892	AllOutInstaller(1.3.2).exe
2212	VC_redist.x64.exe
1996	VC_redist.x64.exe
1996	VC_redist.x64.exe
2852	VC_redist.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\32	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33130"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D2B8B46C-3AA6-46DC-8354-40024777203E}\ = "{D2B8B46C-3AA6-46DC-8354-40024777203E}"	AllOutInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\Provider	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D2B8B46C-3AA6-46DC-8354-40024777203E}\DisplayName = "All Out Installer"	AllOutInstaller.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BD77713C1C1591B4F90883FEC5D1C798\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\ProductIcon = "C:\\Windows\\Installer\\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\allout11\ = "URL:allout11"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D50F2D1F239191B429AEEA45C058735F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86CF67490775AF84283B42E0CBA0739B\D50F2D1F239191B429AEEA45C058735F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Version = "237404522"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}v2.4.1\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{D2B8B46C-3AA6-46DC-8354-40024777203E}	AllOutInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\allout11\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}_v2.4.1\Dependents	AllOutInstaller.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1247AC1522AC9A43B023A96182A7B98\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33130"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\allout11\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\allout11	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{1de5e707-82da-4db6-b810-5d140cc4cbb3}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33130"	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD77713C1C1591B4F90883FEC5D1C798\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C31777DB-51C1-4B19-9F80-38EF5C1D7C89}v14.38.33130\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}_v2.4.1\ = "{F1D2F05D-1932-4B19-92EA-AE540C8537F5}"	AllOutInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{F1D2F05D-1932-4B19-92EA-AE540C8537F5}_v2.4.1	AllOutInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D50F2D1F239191B429AEEA45C058735F\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.38.33130"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\allout11\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\Version = "33816577"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\SourceList\PackageName = "installer.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D50F2D1F239191B429AEEA45C058735F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1247AC1522AC9A43B023A96182A7B98\PackageCode = "5ED4A84E7A8511F4F91076B9DE989D70"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe
1684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	2164	AllOutInstaller.exe
Token: SeRestorePrivilege	2164	AllOutInstaller.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	2456	DrvInst.exe
Token: SeLoadDriverPrivilege	2456	DrvInst.exe
Token: SeLoadDriverPrivilege	2456	DrvInst.exe
Token: SeLoadDriverPrivilege	2456	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeRestorePrivilege	972	DrvInst.exe
Token: SeLoadDriverPrivilege	972	DrvInst.exe
Token: SeLoadDriverPrivilege	972	DrvInst.exe
Token: SeLoadDriverPrivilege	972	DrvInst.exe
Token: SeShutdownPrivilege	1932	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1932	VC_redist.x64.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeCreateTokenPrivilege	1932	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	1932	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	1932	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	1932	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	1932	VC_redist.x64.exe
Token: SeTcbPrivilege	1932	VC_redist.x64.exe
Token: SeSecurityPrivilege	1932	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	1932	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	1932	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	1932	VC_redist.x64.exe
Token: SeSystemtimePrivilege	1932	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	1932	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	1932	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	1932	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	1932	VC_redist.x64.exe
Token: SeBackupPrivilege	1932	VC_redist.x64.exe
Token: SeRestorePrivilege	1932	VC_redist.x64.exe
Token: SeShutdownPrivilege	1932	VC_redist.x64.exe
Token: SeDebugPrivilege	1932	VC_redist.x64.exe
Token: SeAuditPrivilege	1932	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	1932	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	1932	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	1932	VC_redist.x64.exe
Token: SeUndockPrivilege	1932	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	1932	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	1932	VC_redist.x64.exe
Token: SeManageVolumePrivilege	1932	VC_redist.x64.exe
Token: SeImpersonatePrivilege	1932	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	1932	VC_redist.x64.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	AllOutInstaller(1.3.2).exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2892	2072	AllOutInstaller(1.3.2).exe	30
PID 2072 wrote to memory of 2892	2072	AllOutInstaller(1.3.2).exe	30
PID 2072 wrote to memory of 2892	2072	AllOutInstaller(1.3.2).exe	30
PID 2892 wrote to memory of 2164	2892	AllOutInstaller(1.3.2).exe	31
PID 2892 wrote to memory of 2164	2892	AllOutInstaller(1.3.2).exe	31
PID 2892 wrote to memory of 2164	2892	AllOutInstaller(1.3.2).exe	31
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2164 wrote to memory of 2212	2164	AllOutInstaller.exe	35
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 2212 wrote to memory of 1996	2212	VC_redist.x64.exe	36
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1996 wrote to memory of 1932	1996	VC_redist.x64.exe	37
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 1932 wrote to memory of 2960	1932	VC_redist.x64.exe	41
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2960 wrote to memory of 2852	2960	VC_redist.x64.exe	42
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43
PID 2852 wrote to memory of 2160	2852	VC_redist.x64.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AllOutInstaller(1.3.2).exe
"C:\Users\Admin\AppData\Local\Temp\AllOutInstaller(1.3.2).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\TEMP\{87E60DD7-0605-487E-A7F9-9422E77FD4B1}\.cr\AllOutInstaller(1.3.2).exe
  "C:\Windows\TEMP\{87E60DD7-0605-487E-A7F9-9422E77FD4B1}\.cr\AllOutInstaller(1.3.2).exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\AllOutInstaller(1.3.2).exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\TEMP\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\.be\AllOutInstaller.exe
    "C:\Windows\TEMP\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\.be\AllOutInstaller.exe" -q -burn.elevated BurnPipe.{9789419B-4BD6-49AE-9247-275FB07C3C8E} {C1445C79-9039-441D-860B-0F6A0684936D} 2892
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\ProgramData\Package Cache\CCF4FD7DA2C3440F1BC7FCAC67C8A12599EAB8D5C015AFFDC2E439FA30F5C786\VC_redist.x64.exe
      "C:\ProgramData\Package Cache\CCF4FD7DA2C3440F1BC7FCAC67C8A12599EAB8D5C015AFFDC2E439FA30F5C786\VC_redist.x64.exe" /install /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\Temp\{FF375AA0-AAAC-4FA2-8389-37AA5F37BB2E}\.cr\VC_redist.x64.exe
        
        "C:\Windows\Temp\{FF375AA0-AAAC-4FA2-8389-37AA5F37BB2E}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\CCF4FD7DA2C3440F1BC7FCAC67C8A12599EAB8D5C015AFFDC2E439FA30F5C786\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 /install /quiet /norestart
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{8A5C1612-A399-4BD7-B7C6-179BCB6909B1} {71E55A86-5CB2-4892-A3FB-3F5B9DE28D37} 1996
        6⤵
        Adds Run key to start application
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=500 -burn.embedded BurnPipe.{D70BD7A8-C147-4C45-9B13-1314D08904CA} {3FBACE5E-6C0D-4CBE-9FD7-2921EBD387AF} 1932
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={1de5e707-82da-4db6-b810-5d140cc4cbb3} -burn.filehandle.self=500 -burn.embedded BurnPipe.{D70BD7A8-C147-4C45-9B13-1314D08904CA} {3FBACE5E-6C0D-4CBE-9FD7-2921EBD387AF} 1932
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{F21D05B8-F529-4D18-A397-5D6AFAB23A09} {3EE2A9F7-6B21-4FBD-808D-279D7C7C673A} 2852
        9⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "000000000000057C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000003C0" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776407.rbs

Filesize
17KB

MD5
a6c0e5463685e6f6c2e3815a1f2ade68

SHA1
2f5e9f42aaa460518fffe8769b949e888c15ecc0

SHA256
ff1dbd03b681a877c9984751f844cb4c62315a2ca5247c212162df370e51458c

SHA512
608083a5a495f1f7c78b6e358c0399ba9b8b067230b3bdc6d09e7d91ce17fdc09dd4f93512c34aa76d6d617ec953df85f5e3ba3a0fd703fb8c8dcb29d657711d

Download Submit
C:\Config.Msi\f776413.rbs

Filesize
16KB

MD5
1be104d7a9c6c1581b198d6cea0ebfc5

SHA1
659d738416aad6771a167a140364a6b83d088166

SHA256
e91a672c18ec8483338e04cff44dafab1e54bba4de8ec4a5afc4d98ffe0b3dbf

SHA512
c5209d3a569545599ddd674e4a39bb3500f1e8e2a24f5c191f4bc989330d87269cb6ed99f035c571eb8585cc3f88906c7b550c07ab04869d6dc40ed98db7b801

Download Submit
C:\Config.Msi\f77641b.rbs

Filesize
18KB

MD5
207c5215c9a92f7e416ea378e58866db

SHA1
7fbec5df54d21b2a9513de1de773733556adae94

SHA256
bfc2fd40ac088ede287964aba51a735ddb7e9466c162aff54e1c03c03d6b0075

SHA512
a8d46b41ccf333c6de8dd87a62f0be8b30fb524d1e108ed573833bcf21850cb6bc6cd2071441ea4a6c7306eff60715d6688db206e2bc5fdac2b5525903e52087

Download Submit
C:\Config.Msi\f77642a.rbs

Filesize
17KB

MD5
fd835327a2b8453ed7c15cea1abe865b

SHA1
13bf95e61a2b8c7cd35a6c547442cc02425d51d2

SHA256
7a90561b06758e9ac47aab53375d1a1f2baac15a83acd4ff9beefdb846bb8e74

SHA512
f4232df82ab0e221fc952c214f156d569a2c07f7d8a0116d77b18e9386019f51d24b6cbadd04bb030832edbd4966eba831805b3080c5546547b0d6f513d816c9

Download Submit
C:\Config.Msi\f776430.rbs

Filesize
10KB

MD5
a54cc5d1e6e89c6cbcf3e0b05f6c912d

SHA1
cd3dd06464f25b34089c7c4ec07546f128274c5a

SHA256
23a7e220d52382fa01b4b1cb0547482b2fcb441613ecf7898c80cdf03f4c78be

SHA512
185fdd95c47af741295271d20bab6951be7496ecec70bafb082ee49db05e002405d589f3d3b98b48cf1b0b2d37f615e4189b3729b1a66bcdde633073d663a6a2

Download Submit
C:\ProgramData\Package Cache\{D2B8B46C-3AA6-46DC-8354-40024777203E}\state.rsm

Filesize
1022B

MD5
f8dc5c544c043ee7eacc806b194c003c

SHA1
2d8b921dd914de75aa4351be9da9c97baaeea219

SHA256
4537b4c876b11215860752f3051e85646193f6b908ed7c1548e3c787c5901108

SHA512
659a29bfb6f4d7dbc5e3433c711b898294120b5562f66035436d8350dd1da28fac1e4aeabd32dfd20683831330d9d6364a91fb28fdc9c87bdcd1cecf032e8155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e1836f4319ddf6a4150c586a42560e4

SHA1
05cf9fb3b03833480251f26037447244e6ce252a

SHA256
49600067460c36f33075bc301b423deb5f4fded1d4df397f7063365cbc75e0df

SHA512
47e7a86c5929dd7ea0674505d3ba5acf30d6ff3a71b9ca5d7167dc8db8ce57a0cf28893113b300977e13ec84dc0494099cca07e59171df2fd267775795942c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\All_Out_Installer_20240813183353_001_installer.msi.log

Filesize
1KB

MD5
ab0420021e592cc95858db3ad23dcb04

SHA1
365864c7e9a39d765d0ceac07881e4502eeed443

SHA256
b2006a3e3d9636a241742c5b9db38458a79e9177f288535104cf2c4c0eaa3a40

SHA512
208c625b85e446be08826a3da49e6b08ec8b4872f99054d0f547b5d1f7e2248295054210d3a89c2537ffe70b43ab3242047f32739d43d7c3114900494dbdb0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6470.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6482.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240813183414_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
77e1faea31e3ab9dbb55e3e25728b0d7

SHA1
c0ed6dda70919310b27fac543cde3b96dd98bafe

SHA256
5c548c5559bc99a99dc9f712aadf510fa9371d67c4ea98edbb1de33fc9325ab2

SHA512
abb7c00a03f36fa5f88ec02870d9e737f97a07c29a406aeea398e5dc2f58867e79246bd9c5a4ca7fee6a7759facb419e1eeca551728c41b75ba62062f149d959

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240813183414_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
2c15a642b6390530477f7dbf4ab7932b

SHA1
0117104f3a035f36976d4b9c929540d08369e996

SHA256
97bbe8c309325f1198d2ca86c65aec8c114216f09fd84184637c451ecc6c2b74

SHA512
2b345218b577182da9dd82fccf394ea567a5ec57b78c3e908930516808fcc1ec5e5cfc1ec11db04686eee6e4d47350f6f66604b82545e1c00f65dfc53ac3f9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\VC_redist.x64.exe

Filesize
24.2MB

MD5
101b0b9f74cdc6cdbd2570bfe92e302c

SHA1
2e6bae42c2842b4f558bd68099479b929bb7d910

SHA256
4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

SHA512
ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\installer.msi

Filesize
3.0MB

MD5
1f6e085b888698ddcf77ec03ecc465aa

SHA1
afd431d9d631c153c2c83ff65e7c8c767e9513cd

SHA256
b6c6404fc2467d80e9688a20b4479f789676194f0fe902b3385c66c4f7a38d6e

SHA512
7b32294bf215acbd54b41afa3abb129f924ac97a858a6ede1444e4334334382ec29ca23f078fe9f281f526e9a9a57064b2fb42ff5353662205c8646e05c86d2f

Download Submit
C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
e181a4fd7fc6a5a35d355efccb2c02d2

SHA1
762ded20d790e9342119f7578a4453ac512a0285

SHA256
e792f561821e193991fcc0c98038f0b0b905b0b0c67b55aaa1040d18652c6225

SHA512
8a8f04f5a044cfd126da9fafbdc86e74c7dc1624b241ed527e11bcdc389b8d9756c9fa6217b220e9aa49fb604285d8fb8c0dead91a7e456937e8b474000e32fe

Download Submit
C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
958KB

MD5
b9c44fa1b63f24db5f63e4d5992428bc

SHA1
4b6b0db14c7444009b71a20cba406b27a03edaac

SHA256
dc862c89bccaeeb3b7ae04895377a6156dd81e0e1ff460b692f6cec51b865f4f

SHA512
0ce0612d528a237691d860c11a6f37555185871e80667a99ef23229496c87ddfeba13ef492eb330f3a75206e645e683617ff9d3b2a756d544af4d34ee8e3cd46

Download Submit
C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
ea980cf567e11691d1e4476eb46cf0b9

SHA1
a0520000ad102411c041fc44e333fa298e72b38f

SHA256
98c9604efcba36d02387a570ddf9697951fb8f625c5ce2471a2d4a573e962d23

SHA512
b07184932de406cc1df8ae3599d0418211f3b3f40711f743aa7534d06757794aa9f1b61f6b7fa85cd604f5e6eca7d08a04ec2d2c78c80fff5bdec2b772f5656d

Download Submit
C:\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
cde169db3e6657e49a923413bec65774

SHA1
6c57b389c08a0a3bd3c8919c2b546fb9e1ea7003

SHA256
6cf659c5d73f2ce102b60a64f820f57d598efbfb1e1a0f393a5df7f11bbc35c3

SHA512
d32b32ec275ea7befe7c63977cd300887bc88460d56c4fb848447c87006ead29fdb41c60688186d18bfac6ff6f0c8a441d1fb91765a4fda93824d4b61a4ae627

Download Submit
C:\Windows\Temp\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\.ba\logo.png

Filesize
110KB

MD5
75cf36080d905260d2c1c01fb4fc4a11

SHA1
5f8624672cd926bff39207c455976e0ff7428a8a

SHA256
28a7ff31cb6d56d6cdea81b79e416878155e2d07e3cc9ef48e68d41a8b9420b9

SHA512
2a907857ff62934acf48916d920c27c4f2a4119a3cfcb8cd13647e65463134c6a9fb3462598df86cfffdb4436394a8e127ebee7678800935e7b0c60afaefe499

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
17KB

MD5
02bbba529bf0f6a4b62ffff777e47921

SHA1
f291508fa23a76a9189c503972d8e81b68be3e18

SHA256
3d3c10fa07cf68fd86c7ce466b0ced07e7d9178765b1eefcc81289c8e1c616a5

SHA512
3e157bad689688b1f8d20388ef81417cab6ba232ef03296123c794fbeee151dbdde107ad4c5bfaf29503335e851d711188d7a0e35690226fb6c551c6e4dbb377

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
16KB

MD5
5cbd03292d719bfce3f2bbc2a508e1c6

SHA1
d4eeade49fd89771d8d7eea517dd0fba4ade0cfb

SHA256
09df14bece581b3b649d406545bdbc0d5395e2901549c3165d7cec6b1f4a2c1f

SHA512
9917b69015b8a1901c3253d380243788a0e675d03bd1400c5c7d251e8d97eece69e6756e4f49e7d73ba37c632c875386c33740dcb20432243a3310fbe9c9fd03

Download Submit
\Windows\Temp\{87E60DD7-0605-487E-A7F9-9422E77FD4B1}\.cr\AllOutInstaller(1.3.2).exe

Filesize
1.1MB

MD5
e36786eec8e3476350d5f28b7263cdf1

SHA1
4b24406ff78cb4bb71769e245bd14328dc1ec3f3

SHA256
99202354823cfe17c8ebcfb6c9577a1716cb330bcabf431ee9d8326862415289

SHA512
daeefc972df40e9fffc30ae6674a41ccd435c9603bb5cd73b9e32dd78c9af0277d0c67d9c951a73412ef933a2ac7c7e4f080372b886ccf478c96a1bc7effe253

Download Submit
\Windows\Temp\{CA2089FB-92AB-4CEB-9B0B-665451D6DF5E}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{D68B8595-0A4E-47AB-9D6E-71D45B821EDE}\.ba\wixstdba.dll

Filesize
366KB

MD5
58c2f07c4886df52324737ee0778bcc0

SHA1
1c2d39b5820ea325b554e9523872c34530dde862

SHA256
341a6ea5af03d25a1b1e8f9f62540cf11c55c9b81bd34df6e8c5f0fbf63e7a52

SHA512
a4b166727233295f4a70519a10c94bec6856907dbf0506806a33dbf16e6648b794488065c870b958655b3e758c9c78829970fb9f87d34750e6c59e14d301ca04

Download Submit
\Windows\Temp\{FF375AA0-AAAC-4FA2-8389-37AA5F37BB2E}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
53e9222bc438cbd8b7320f800bef2e78

SHA1
c4f295d8855b4b16c7450a4a9150eb95046f6390

SHA256
0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

SHA512
7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

Download Submit
memory/2160-403-0x0000000000CC0000-0x0000000000D37000-memory.dmp

Filesize
476KB

Download
memory/2164-540-0x000000013F560000-0x000000013F63F000-memory.dmp

Filesize
892KB

Download
memory/2852-440-0x0000000000CC0000-0x0000000000D37000-memory.dmp

Filesize
476KB

Download
memory/2960-441-0x0000000000CC0000-0x0000000000D37000-memory.dmp

Filesize
476KB

Download