762495d6b19eb09588adbfcef71a70b11d07c2e73a9538e93dcaf81a2a4f8486

Analysis

max time kernel
85s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Paragon HFS+ for Windows 11.0.0.175 + Crack/Setup.msi
Size

20.0MB
MD5

e6db65b0dfdb2d617a81bb029cac80af
SHA1

d78d7f4cb8f667a9f591c563a8d1ee755fcfbb9b
SHA256

623fe3396a0d2164f6628d96da5c77ed5f672c7fd58b8e6fc9435b785c52e2de
SHA512

206f69bde5a485a4afb24db8a46d46073b99d11654117540a0f731b9611fabb6f2beb9d5b06df44354650d45bc9e2d8f4203db18ea2ac710c52e6acdcaca91ea
SSDEEP

393216:uw7BmwiSMoUtV8dvW2autet7bn0GH6wYEM0vhfCpPQ:378dTlatet7b0GEJ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRIVERS\SETF78A.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF6CF.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\apmwin.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF21B.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\hfsplus.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF335.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF3E1.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF529.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF21B.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\hfsplusrec.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF3E1.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF529.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\mounthlp.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF6CF.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\gpt_loader.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETF78A.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETF335.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\csvol.sys	MsiExec.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	3532	msiexec.exe
7	3532	msiexec.exe
9	3532	msiexec.exe
15	3532	msiexec.exe
24	3532	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\system32\DRVSTORE\hfsplus_7AC763E9E36E541735B1A0E5DC1B069736D8D952\hfsplus.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\hfsplusrec_08BF7AAF43057CF8E0DDABDAF8C4AAE237A5C270\hfsplusrec.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\gpt_loader_765D82462469CE07EBA27A60DF1A61C7F1B0C5AC\gpt_loader.inf	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\hfsplus_7AC763E9E36E541735B1A0E5DC1B069736D8D952\hfsplus.inf	MsiExec.exe
File opened for modification	C:\Windows\system32\DRVSTORE\hfsplus_7AC763E9E36E541735B1A0E5DC1B069736D8D952\hfsplus.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\apmwin_60CFEF083E31C1382D749696149AB4F7DD5650DD\apmwin.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\mounthlp_D87993A7574115462737A52F0F04F38F5611F1E7\mounthlp.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\mounthlp_D87993A7574115462737A52F0F04F38F5611F1E7\mounthlp.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\hfsplus_7AC763E9E36E541735B1A0E5DC1B069736D8D952\hfsplus.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\hfsplusrec_08BF7AAF43057CF8E0DDABDAF8C4AAE237A5C270\hfsplusrec.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\mounthlp_D87993A7574115462737A52F0F04F38F5611F1E7\mounthlp.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\csvol_E60E6022CDA5C4C158F67D41B1858D3E1D7FDEF8\csvol.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\csvol_E60E6022CDA5C4C158F67D41B1858D3E1D7FDEF8\csvol.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\csvol_E60E6022CDA5C4C158F67D41B1858D3E1D7FDEF8\csvol.sys	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\hfsplusrec_08BF7AAF43057CF8E0DDABDAF8C4AAE237A5C270\hfsplusrec.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\apmwin_60CFEF083E31C1382D749696149AB4F7DD5650DD\apmwin.inf	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\apmwin_60CFEF083E31C1382D749696149AB4F7DD5650DD\apmwin.sys	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\gpt_loader_765D82462469CE07EBA27A60DF1A61C7F1B0C5AC\gpt_loader.cat	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\gpt_loader_765D82462469CE07EBA27A60DF1A61C7F1B0C5AC\gpt_loader.sys	MsiExec.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusevents.dll	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.cat	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\remove.reg	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\activation\lang.mo	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\gpt_loader\gpt_loader.cat	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\gpt_loader\gpt_loader.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\gpt_loader\gpt_loader.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\updater\lang.mo	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\csvol\csvol.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\HFS4WinHelpe.chm	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwinsrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthfs.exe	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.cat	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.cat	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\activation\OnlineActivator.exe	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\csvol\csvol.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\install.reg	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.sys	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\updater\Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.inf	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\csvol\csvol.cat	msiexec.exe
File created	C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.cat	msiexec.exe

Drops file in Windows directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF123.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF386.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDAE.tmp	msiexec.exe
File created	C:\Windows\Installer\{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}\HFS4Win.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFDA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE3F.tmp	msiexec.exe
File created	C:\Windows\Installer\{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}\OnlineActivator.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}\OnlineActivator.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDCE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF82E.tmp	msiexec.exe
File created	C:\Windows\Installer\e58e70f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE1F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}\HFS4Win.ico	msiexec.exe
File created	C:\Windows\Installer\e58e711.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF676.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF771.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58e70f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE809.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF82F.tmp	msiexec.exe

Loads dropped DLL 28 IoCs

pid	Process
3464	MsiExec.exe
4408	MsiExec.exe
1548	MsiExec.exe
4408	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
1548	MsiExec.exe
4560	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
916	MsiExec.exe
1548	MsiExec.exe
4408	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	MsiExec.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	MsiExec.exe

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Paragon HFS+ for Windows 11.0.0.175 + Crack\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\Version = "184549376"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4FF0FC9D08E6B54ABB6A939FE3FE0FD\18E6D924E1E86E24A89B20D59D51F7B9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\hfsplusrec	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\ProductName = "Paragon HFS+ for Windows"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\PackageCode = "E5CA9B9B7026E394B815F57A592F98CC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E4FF0FC9D08E6B54ABB6A939FE3FE0FD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\apmwin	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\mounthlp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\csvol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\events	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\main_files	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\gpt_loader	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\PackageName = "Setup.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Paragon HFS+ for Windows 11.0.0.175 + Crack\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18E6D924E1E86E24A89B20D59D51F7B9\hfsplus	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18E6D924E1E86E24A89B20D59D51F7B9\ProductIcon = "C:\\Windows\\Installer\\{429D6E81-8E1E-42E6-8AB9-025DD9157F9B}\\HFS4Win.ico"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Paragon\HFS+ for Windows\HFS11:rsrc	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3404	msiexec.exe
3404	msiexec.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3532	msiexec.exe
Token: SeSecurityPrivilege	3404	msiexec.exe
Token: SeCreateTokenPrivilege	3532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3532	msiexec.exe
Token: SeLockMemoryPrivilege	3532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3532	msiexec.exe
Token: SeMachineAccountPrivilege	3532	msiexec.exe
Token: SeTcbPrivilege	3532	msiexec.exe
Token: SeSecurityPrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeLoadDriverPrivilege	3532	msiexec.exe
Token: SeSystemProfilePrivilege	3532	msiexec.exe
Token: SeSystemtimePrivilege	3532	msiexec.exe
Token: SeProfSingleProcessPrivilege	3532	msiexec.exe
Token: SeIncBasePriorityPrivilege	3532	msiexec.exe
Token: SeCreatePagefilePrivilege	3532	msiexec.exe
Token: SeCreatePermanentPrivilege	3532	msiexec.exe
Token: SeBackupPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeShutdownPrivilege	3532	msiexec.exe
Token: SeDebugPrivilege	3532	msiexec.exe
Token: SeAuditPrivilege	3532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3532	msiexec.exe
Token: SeChangeNotifyPrivilege	3532	msiexec.exe
Token: SeRemoteShutdownPrivilege	3532	msiexec.exe
Token: SeUndockPrivilege	3532	msiexec.exe
Token: SeSyncAgentPrivilege	3532	msiexec.exe
Token: SeEnableDelegationPrivilege	3532	msiexec.exe
Token: SeManageVolumePrivilege	3532	msiexec.exe
Token: SeImpersonatePrivilege	3532	msiexec.exe
Token: SeCreateGlobalPrivilege	3532	msiexec.exe
Token: SeCreateTokenPrivilege	3532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3532	msiexec.exe
Token: SeLockMemoryPrivilege	3532	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3532	msiexec.exe
Token: SeMachineAccountPrivilege	3532	msiexec.exe
Token: SeTcbPrivilege	3532	msiexec.exe
Token: SeSecurityPrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeLoadDriverPrivilege	3532	msiexec.exe
Token: SeSystemProfilePrivilege	3532	msiexec.exe
Token: SeSystemtimePrivilege	3532	msiexec.exe
Token: SeProfSingleProcessPrivilege	3532	msiexec.exe
Token: SeIncBasePriorityPrivilege	3532	msiexec.exe
Token: SeCreatePagefilePrivilege	3532	msiexec.exe
Token: SeCreatePermanentPrivilege	3532	msiexec.exe
Token: SeBackupPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeShutdownPrivilege	3532	msiexec.exe
Token: SeDebugPrivilege	3532	msiexec.exe
Token: SeAuditPrivilege	3532	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3532	msiexec.exe
Token: SeChangeNotifyPrivilege	3532	msiexec.exe
Token: SeRemoteShutdownPrivilege	3532	msiexec.exe
Token: SeUndockPrivilege	3532	msiexec.exe
Token: SeSyncAgentPrivilege	3532	msiexec.exe
Token: SeEnableDelegationPrivilege	3532	msiexec.exe
Token: SeManageVolumePrivilege	3532	msiexec.exe
Token: SeImpersonatePrivilege	3532	msiexec.exe
Token: SeCreateGlobalPrivilege	3532	msiexec.exe
Token: SeCreateTokenPrivilege	3532	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3532	msiexec.exe
Token: SeLockMemoryPrivilege	3532	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3532	msiexec.exe
3532	msiexec.exe
3532	msiexec.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4560	MsiExec.exe
4560	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
3464	MsiExec.exe
5096	LogonUI.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3464	3404	msiexec.exe	103
PID 3404 wrote to memory of 3464	3404	msiexec.exe	103
PID 3404 wrote to memory of 3464	3404	msiexec.exe	103
PID 3404 wrote to memory of 4724	3404	msiexec.exe	108
PID 3404 wrote to memory of 4724	3404	msiexec.exe	108
PID 3404 wrote to memory of 4408	3404	msiexec.exe	110
PID 3404 wrote to memory of 4408	3404	msiexec.exe	110
PID 3404 wrote to memory of 1548	3404	msiexec.exe	111
PID 3404 wrote to memory of 1548	3404	msiexec.exe	111
PID 3404 wrote to memory of 1548	3404	msiexec.exe	111
PID 3404 wrote to memory of 4560	3404	msiexec.exe	112
PID 3404 wrote to memory of 4560	3404	msiexec.exe	112
PID 3404 wrote to memory of 4560	3404	msiexec.exe	112
PID 3404 wrote to memory of 916	3404	msiexec.exe	113
PID 3404 wrote to memory of 916	3404	msiexec.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Paragon HFS+ for Windows 11.0.0.175 + Crack\Setup.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4D9B2B02DE2840EA7EA99846318F793B C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:3464
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4724
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B106B52390BFA52F0C23CA920A96333C
  2⤵
  - Loads dropped DLL
  PID:4408
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29C451C4260A562A729A695B9481C370
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7CE3E8073C78114B1F5B6E1943C98648 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4560
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 33796633583343D77AF6379E53BDCA8A E Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58e710.rbs

Filesize
4.1MB

MD5
028590e9bb4efc7f5ba889c2a8bfc9b2

SHA1
2bf5ec78b16bf46be177711ed535fbf6fe5841c8

SHA256
8d22e19cb66f09ec9c1bf0061eba88ad298a33207b7f125fe249f93f7e3fe342

SHA512
14313357d2bf400438f692d46bb033c4702b2dbfb467e07303a6f10f00eccfc2f5e978468619f2579459d490fe2f8b27d551a51cd7e15c09b1d2d4056edcaa92

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.cat

Filesize
16KB

MD5
4dc49028dde3e9cc394dcaf8fcfe329e

SHA1
60cfef083e31c1382d749696149ab4f7dd5650dd

SHA256
7fed5e5591aa76e90fea1faa577e64afa93b9ab4f497c1f67f5ce2a9e7dbf407

SHA512
1d2e430932ec02221779304e819ef996b864c965d39f1679eeba3a0420eba8471c86264cb6744bf1f2ced94e39d12610edcf82b127e59bd1a115fd7e4b42dfdf

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.inf

Filesize
1KB

MD5
da3ed9d30a532ec3d6fc2fb09457240d

SHA1
8811f2f4df64cd2fcb93e00b61c57002423afe19

SHA256
cd81331eb4867c6f959c7e4e2eaae9ff13c5a11caaef04c90c5a84d13b33de8c

SHA512
bc1022b3cc9ffcbd53d36ac87531ed3aad7639f01e557b5ef89b8ba3985ef75a47265556fa9e995da62dcffcc7878d1556f68d57a2a61cd8cf982003f56b1180

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\apmwin\apmwin.sys

Filesize
36KB

MD5
9d28ce33e6d0ea4b90ef5dc7cb012812

SHA1
348e46fd38ff69bdb38a591a58ce8655744c6966

SHA256
476f11ff42b66f0b80807cfdfc3592110340bfdee6cde9e78d132466191d7899

SHA512
c715d4beceeb27daaaf549c508b0f712b7bd42bbce805161ca91ad2f97031436ba85c1499d2b91f783e890b099473b7e1dbb763cac258effa1941e76818f370a

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.cat

Filesize
16KB

MD5
0d91d5b4ccc452711bac19b5bf7bd0f7

SHA1
7ac763e9e36e541735b1a0e5dc1b069736d8d952

SHA256
a0a4d1ef0cf7ce8c21ae2fceeb57552c240206185778098a24752c3f6e314f53

SHA512
6d34618b20cc61dc5c290cb7e5f579a4918fb2eb012802de5f611de0b9e4d3e81ded6bbcac8a98dc80f3c909a34a48cd17a3a37ebadcfb63d202143d2077b369

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.inf

Filesize
1KB

MD5
cbbb351210fc08a1f0cacb46bffe8b2c

SHA1
e0fc25c57719b826e8eb43d84e6cd9b00633db0f

SHA256
1617e1897767b36138bd15b5dc75bc848de34b4c6c22a784f975115885123231

SHA512
e1da771845b02ab3e5b6e9d7564d92d00c0d26e48bf733e468b68f738df54b51802c558bef7843400282b6eca949b6bae5c0b31fa55c7e39fd87d6029b0bb5be

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplus\hfsplus.sys

Filesize
208KB

MD5
d8762f2e7e45a514019a3292a098ce3c

SHA1
f67ca2b9930975c06b4681db05c5a246e8e76f0b

SHA256
3da41c56d035667cf81431b52929cee17cb33a4cddaf53c62a4988fc3fe33137

SHA512
337f3c07727d24e57e69f4dd820bdf72c76877d16992c65ff41cd6992c8547a17110f3963e4aaf1cdf2431eebd1c1c68855194671055832b9931ddf8ba125db8

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.cat

Filesize
17KB

MD5
58da4dccba73a0fb70185c1775f899aa

SHA1
08bf7aaf43057cf8e0ddabdaf8c4aae237a5c270

SHA256
1695951dde2668e8a2ba7fb95acc3949fb434efd20784171f29281bf82210daf

SHA512
9958d7ca31eb57c6c46afcfe04a3126a3c551abe86d46091ae7c40541b1806ac745cd0a7b568fcfdc1aa158e70300f4f4b93c8b5025048552872d5acd964968c

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.inf

Filesize
1KB

MD5
342ea09e2b048a32ad08bd09a4df5b5b

SHA1
77af508f8a2e04e037b61454099341e5dcc2dcdc

SHA256
c38fa18f8a6c60edb9bd2e30e9bfd64e573d1911fd0bc3e09a500f176ce37080

SHA512
af7489d407c9acc2b0e7c592e6f807879ca221f854b8d7fb6c1c2fe29516ba042068cafc126926edf213eed9e95a0d6b86d8f05f673376044cba7278a11464ff

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\hfsplusrec\hfsplusrec.sys

Filesize
23KB

MD5
d9ba9b93e57acd90ce3bc330b6823772

SHA1
eb07b569b386a15708a54dad29c2f3ad1b283bc4

SHA256
af4f0c9355d7afcd82d93a6ea613f010028d2e55c652e89b8783078e8068d8fe

SHA512
36725e2330ec8f726ac37461dab6ca08af518eb2aeabfb3d58102f986a4f29fd0271e8206a82a572c90efe0948ba397c53001ff181d5ced6074101b65bbc9c5d

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.cat

Filesize
16KB

MD5
623c1997a31e2e810da57c1d019bbdc9

SHA1
d87993a7574115462737a52f0f04f38f5611f1e7

SHA256
a487d54060cd12db3c854ddd4d7d38af1e85c0c115c6e9acb91cd81c3b243086

SHA512
e37e0ca70d068ed773e9e119429fd79254c627dd57a6d2f3113e6dcba1ae911f270a77a2c198419eca8097253eb2c3caff3920636a41a136463b7ab272d2513b

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.inf

Filesize
2KB

MD5
fd9f6f4255ca1ae110620fa52969ded7

SHA1
de08974244e2328651888811589df9afe730f5b7

SHA256
aeec58a0065d403972c4b8750d3da23cc2da79b8bba9731c3131f63ef4ad2bf6

SHA512
e7203f794285ce13b565ddbb7e4ecb375c737af8713dcfbd63696bb9530f0db6779da1855d2833be88ad46095de7517ee8f50a8255528bd235d0b41daa0b6c56

Download Submit
C:\Program Files (x86)\Paragon Software\HFS+ for Windows\mounthlp\mounthlp.sys

Filesize
49KB

MD5
9322850a5d27631f76f7893bddc13d7c

SHA1
befa5a68d04aa89b842a97c610a2368899309a2e

SHA256
97070cbd807cc8adef2b4c1c4b0898b962ea9bd85ca4f60c9daf8a4da41b95f3

SHA512
3353dd1f6c5d9bc23c1ce56e635ea62866a5cd3ca09cb491f4465faa2c8aaa67642f7a2d0f5a14c87a41884d5c7e091579eaab311922164a72604ce59c4b416c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_20D9D323AE9A6BDED2640101BA3441C9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
ab18c3c8d24dd75b33e5cdd8be9991ec

SHA1
63d4cb16765488be47329244cff438c9e25afdc4

SHA256
3b197c62291e3cabfa8f23a228907a8514397524e5d2bd8d0e65df6b8246e6c2

SHA512
25e00e3bf0e38ad90f9bfc27b1c87f28d58d31fcd4f3072cbb23de12a5d8f20a01d71547554968fedeb606b479037a60aa564178f28dbcab895746c69320597b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
41a52a6e62ce2f7d7f583c84e7f30c60

SHA1
8c1409c935eaabebf2b2afd36e14b1f150c704d1

SHA256
2924b524b9655fdc4008144502621a909a41f7dfc533a586929c8d54f325ae14

SHA512
483fd63777ce40903ead9ccc6cf1b101b5f00b3e5be01317cd500815c27bf467ca0628955593fd18013be25e411f393e2999b731451317600e0fe04dbcf185c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
fad60b857ffb383cfff3be8a7c21f9e0

SHA1
920cf3d17eadb11e2cdb58b943eb81c21d634e61

SHA256
1a24632313b557852ea94d7bef0738181bcb565ff95c65b57719f8f9de1ea7df

SHA512
a82d303d16ccf0cdfd35c69095f8752007b67dfb889264d87e42e473d00c76a4e347d0fa23567e236cee71dd8743fd9efa27330ec5844d2cbed494fa3732c42b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_20D9D323AE9A6BDED2640101BA3441C9

Filesize
398B

MD5
4e31ae5f6b5261cba6690f93f4a8b2d1

SHA1
ed7db2b015cad05aa199a58141b1af1285b2b36d

SHA256
231d2ab0b406ec3a5d020354e0ea078d8785dcf845397bde9aa13b7ad45a9e69

SHA512
45c45d74c6c9620c1bcf51410cf6d793ddce5f87b568c6437020f6b2eaeedacddab3939498cab31500819c03510e540f22cab0454daab112f832905da7a6717c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
b118c01838b1583a6ae6d985b4adddc7

SHA1
1b8495eced76dd4847e8a52a44e8036a1ee4ce4c

SHA256
206c7bfdfe5f9bf89e0eb1acde6349ac7d64d9e17c2da2c70178961c5f91a513

SHA512
f022b5c757fdac5bdaa79dee8414f944c07251e3703e8cf1324dbb28c03aa26228364fe0d8240a955d038606f181396fad8dca32892bbb6cb2dafa51c0122963

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB2D0.tmp

Filesize
102KB

MD5
e37ccced6d29164b5f50cf180f2b2cae

SHA1
cab6f6adb2cfcb6c2d3bbaed654db4a2932daa9c

SHA256
1aca72d28f41b0527359856a29ba1e46a1cffdb51d3fcd24d12d90fe96bbe287

SHA512
354d6bb5343d42bdc3ec228451d082b630583d0de309c375bd0bf3938aafc2106c094939bfede4c7379f6dfa93251690fe530e2929eaaeba6673aa8e0132c0ee

Download Submit
C:\Windows\Installer\MSIE809.tmp

Filesize
113KB

MD5
b32452a603e9c2372a42217ea0142e40

SHA1
5997d11a0085823163d2933249e82d44b364a877

SHA256
86e28271c33093a7c3d726a5d14155575ac8a75fc0d776b1a8f8e6b7ca0c1d0b

SHA512
8798f0ffb85ebd3dc1eeb2424cd85fc092c3626eb1e3d6b3a3bfe949eed9937197429b3edbcd5f44f8783e91737c43a0591924a7056b83de28e27a1063780ed3

Download Submit
C:\Windows\Installer\MSIECFD.tmp

Filesize
70KB

MD5
65b1c6904b0f01c86bdfdaaba9190f64

SHA1
5a212802526adc14c0d46bd856a7e1cfeb8e37ca

SHA256
7f7a4c7d77a5a379bb0506936f010cb55f7b5e7eee01ed0d8a4cc4c36c3129f6

SHA512
e73a057a34912bc28d612f91f74248777a2c70bca7354b534a2eb09afad80eef284f618e5b4fa499fa4f223f557420050cb25e0a90c5eec9fdc8cbafbf743678

Download Submit
C:\Windows\Installer\MSIED3C.tmp

Filesize
149KB

MD5
418322f7be2b68e88a93a048ac75a757

SHA1
09739792ff1c30f73dacafbe503630615922b561

SHA256
ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

SHA512
253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

Download Submit
C:\Windows\Installer\MSIEFDA.tmp

Filesize
3.8MB

MD5
c5d6743a325aff5d3f127b477e2912b9

SHA1
00d69dfa5f2716a0b60c1285cb3e62808e075e1a

SHA256
4bbdb4a152853bf6a9d4f65317ee71617e7054d4044b5ca6d268456176839d1e

SHA512
7cf8adc43df94a0e85b8e26f0b53a69511877d065e8a2a909579973f754fd05bd26b05e2cc600c193ebe8b48a41f34bd644bd1e98121a004e999f554b3556add

Download Submit
C:\Windows\Installer\MSIF123.tmp

Filesize
690KB

MD5
8deb7d2f91c7392925718b3ba0aade22

SHA1
fc8e9b10c83e16eb0af1b6f10128f5c37b389682

SHA256
cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

SHA512
37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

Download Submit
C:\Windows\Installer\e58e70f.msi

Filesize
20.0MB

MD5
e6db65b0dfdb2d617a81bb029cac80af

SHA1
d78d7f4cb8f667a9f591c563a8d1ee755fcfbb9b

SHA256
623fe3396a0d2164f6628d96da5c77ed5f672c7fd58b8e6fc9435b785c52e2de

SHA512
206f69bde5a485a4afb24db8a46d46073b99d11654117540a0f731b9611fabb6f2beb9d5b06df44354650d45bc9e2d8f4203db18ea2ac710c52e6acdcaca91ea

Download Submit
C:\Windows\System32\DRVSTORE\csvol_E60E6022CDA5C4C158F67D41B1858D3E1D7FDEF8\csvol.sys

Filesize
31KB

MD5
94ffd4264b0703c388dee5d169b84283

SHA1
9b3155bf7bb10e8692eae5e6d8b40c4fa1446736

SHA256
8748951b467c646aa79195e0adb009589ce8d25d97516ab9152a52fb9af52ead

SHA512
8e8b014ed4c8f560f61916fc6910342a9342f4698817409c3f3e07f110e7201ae3d10904429f4d91760e4bbbb74539e1122f3d692a9b8f62425061ab813d38a6

Download Submit
C:\Windows\System32\DRVSTORE\gpt_loader_765D82462469CE07EBA27A60DF1A61C7F1B0C5AC\gpt_loader.sys

Filesize
67KB

MD5
26a9beab3509c79eedbb6ccfa38c8acd

SHA1
5622eecede81492b9daab11ceb3cdcfc58f8481f

SHA256
25e54005bba064e355702e01219bb2dae5099344db009aae763e2aca6c9c85df

SHA512
f9ec073f97e8aade06d663db8404f7182376f41e7762b885f08ec9abb3e71711c1573b5355a1c4fadcb4f0d22cb9d3032b0662c03241d5bb0d38b3136bc1ecfb

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
19KB

MD5
ed0560fd88a729b3e7ffdc3a9b4fc2de

SHA1
d4a1ab27d5369afd095d525038dd191555d09e52

SHA256
168a38e0316496deff4d8695b13d7e0b1392a514078bef19b87532cc59ba0101

SHA512
efad04a7f3f0d46126db083561bda00ef68c9c76caeffd4acf48badda69acda9f584a003923c3e1895cf22828b242027f0766e198cb951373e19e3d22f8d8306

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
7ae00af5e91ed9725f9cf25c9bcf67a0

SHA1
45c180468fb4db3aedd538d1a90e6dfc00ea70f6

SHA256
8bcd32174e5a58b54c198af28243c1116865f7e1f2d789f436b23d6756acc44f

SHA512
c9c78d35d759224b24c401ad9aef26d69abd216a05ee22b9f5a261aafa7bb4393497f7988a14392e99ecd889e6ccd50809c02c968ad9d8dfea7f133868104d9e

Download Submit
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3574b0fe-3daf-493b-9701-bbd93ef499dd}_OnDiskSnapshotProp

Filesize
6KB

MD5
4231bc2cfc0db15f0f23fe400f61b5a6

SHA1
ba8f2bdd2833f9eb12b7043109e6cd85a27b6c13

SHA256
2a3f5d79e965444b548df7a7b13c8cd5c046d354f705c66d7d6fd3ae818b031c

SHA512
48130beb1f798fb7a36716d33acc152bd0a779ec216a3af06afe750d8a1dc435e95a588ee04fbb1d2ef8728a7cd63e4b22a995667fc78ce32b353a1d436751bf

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads