e568fc1a9e6a85e872053700d0adefc16c191cbf43b8a75eea1fab647d3cbef5

Analysis

max time kernel
108s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rserv34cn.exe
Size

6.0MB
MD5

bc0ae58455a77f702d76ffebbf092abe
SHA1

5b9469375b98f6e11bb89e4d9a6f68d16552d971
SHA256

e568fc1a9e6a85e872053700d0adefc16c191cbf43b8a75eea1fab647d3cbef5
SHA512

aa6b73006c0d00fe504f312cb5ab615ed445d73f382b6ae4ef9059dce4aa89f80917f41fa1d94ea7abc2317e06056bc992ad32384dfe17641cf4591f0931563c
SSDEEP

98304:2QtoAtWTPEIa+70mnunxZE69LEtD/hgbmrO3J57pKkV4f16D882:2QtAPEj+wmnGTExJym63J5lT4/

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET4C27.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET4C27.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\rminiv3.sys	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2164	rsetup64.exe
632	rsetup64.exe
2432	rsetup64.exe

Loads dropped DLL 11 IoCs

pid	Process
2440	MsiExec.exe
2440	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
3084	MsiExec.exe
3928	MsiExec.exe
4468	MsiExec.exe
3928	MsiExec.exe
4468	MsiExec.exe
4468	MsiExec.exe
2440	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	4120	MSIEXEC.EXE
17	4120	MSIEXEC.EXE
45	548	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rserver30\voicex.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.inf	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A24.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\SET4C28.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\WinLpcDl2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\FamItrfc.Exe	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\FirewallInstallHelper.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rschatx.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rsetup64.exe	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A25.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_464860d34203ec0c\mirrorv3.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\WinLpcDl.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rchatx.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rsaudiox.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rminiv3.sys	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.cat	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\mirrorv3.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_464860d34203ec0c\mirrorv3.PNF	rsetup64.exe
File created	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A23.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\ChatLPCx.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\vcintsx.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\raddrvv3.sys	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\eula.txt	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\Radmin30cn.chm	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\2052.lng_rad	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\mirrorv3.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_464860d34203ec0c\mirrorv3.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\RCursor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\rsl.exe	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\CHATLOGS\info.txt	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\mirrorv3.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\Radmin30.chm	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A23.tmp	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\FamItrf2.Exe	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A24.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A25.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_464860d34203ec0c\rminiv3.sys	DrvInst.exe
File created	C:\Windows\System32\SET4C28.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mirrorv3.inf_amd64_464860d34203ec0c\mirrorv3.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\mirrorv3.dll	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\rserver3.exe	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\R_sui.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\raudiox.dll	msiexec.exe
File created	C:\Windows\SysWOW64\rserver30\vcintcx.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A36.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\mirrorv3.inf	DrvInst.exe
File created	C:\Windows\SysWOW64\rserver30\Fam64Helper.exe	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\rminiv3.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b976da2f-6ad9-d342-9bf0-1c3d6bf4607c}\SET4A36.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut3_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rsetup64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4273.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\Installer\e584021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584021.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4525.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI46AE.tmp	msiexec.exe
File created	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut4_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut3_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File created	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\Z_MENU_SRVCFG_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut4_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A4.tmp	msiexec.exe
File created	C:\Windows\INF\c_display.PNF	rsetup64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\e584022.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\e584022.mst	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI443A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4620.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\Z_MENU_SRVCFG_6BF1780B36EA432B9451DD84FF5C9D52.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4864.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI441A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5D65.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3A8C4C87-D460-488A-A0AA-8993F6D355B1}	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rserv34cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	rsetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	rsetup64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rsetup64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
548	msiexec.exe
548	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4120	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4120	MSIEXEC.EXE
Token: SeSecurityPrivilege	548	msiexec.exe
Token: SeCreateTokenPrivilege	4120	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4120	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4120	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4120	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4120	MSIEXEC.EXE
Token: SeTcbPrivilege	4120	MSIEXEC.EXE
Token: SeSecurityPrivilege	4120	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4120	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4120	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4120	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4120	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4120	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4120	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4120	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4120	MSIEXEC.EXE
Token: SeBackupPrivilege	4120	MSIEXEC.EXE
Token: SeRestorePrivilege	4120	MSIEXEC.EXE
Token: SeShutdownPrivilege	4120	MSIEXEC.EXE
Token: SeDebugPrivilege	4120	MSIEXEC.EXE
Token: SeAuditPrivilege	4120	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4120	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4120	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4120	MSIEXEC.EXE
Token: SeUndockPrivilege	4120	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4120	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4120	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4120	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4120	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4120	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4120	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4120	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4120	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4120	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4120	MSIEXEC.EXE
Token: SeTcbPrivilege	4120	MSIEXEC.EXE
Token: SeSecurityPrivilege	4120	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4120	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4120	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4120	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4120	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4120	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4120	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4120	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4120	MSIEXEC.EXE
Token: SeBackupPrivilege	4120	MSIEXEC.EXE
Token: SeRestorePrivilege	4120	MSIEXEC.EXE
Token: SeShutdownPrivilege	4120	MSIEXEC.EXE
Token: SeDebugPrivilege	4120	MSIEXEC.EXE
Token: SeAuditPrivilege	4120	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4120	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4120	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4120	MSIEXEC.EXE
Token: SeUndockPrivilege	4120	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4120	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4120	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4120	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4120	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4120	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4120	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4120	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4120	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4120	MSIEXEC.EXE
4120	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4120	212	rserv34cn.exe	86
PID 212 wrote to memory of 4120	212	rserv34cn.exe	86
PID 212 wrote to memory of 4120	212	rserv34cn.exe	86
PID 548 wrote to memory of 2440	548	msiexec.exe	89
PID 548 wrote to memory of 2440	548	msiexec.exe	89
PID 548 wrote to memory of 2440	548	msiexec.exe	89
PID 548 wrote to memory of 2656	548	msiexec.exe	98
PID 548 wrote to memory of 2656	548	msiexec.exe	98
PID 548 wrote to memory of 4056	548	msiexec.exe	100
PID 548 wrote to memory of 4056	548	msiexec.exe	100
PID 548 wrote to memory of 4056	548	msiexec.exe	100
PID 548 wrote to memory of 3084	548	msiexec.exe	101
PID 548 wrote to memory of 3084	548	msiexec.exe	101
PID 548 wrote to memory of 3928	548	msiexec.exe	102
PID 548 wrote to memory of 3928	548	msiexec.exe	102
PID 548 wrote to memory of 3928	548	msiexec.exe	102
PID 548 wrote to memory of 4468	548	msiexec.exe	103
PID 548 wrote to memory of 4468	548	msiexec.exe	103
PID 4468 wrote to memory of 2164	4468	MsiExec.exe	104
PID 4468 wrote to memory of 2164	4468	MsiExec.exe	104
PID 4468 wrote to memory of 632	4468	MsiExec.exe	105
PID 4468 wrote to memory of 632	4468	MsiExec.exe	105
PID 2084 wrote to memory of 2508	2084	svchost.exe	107
PID 2084 wrote to memory of 2508	2084	svchost.exe	107
PID 2084 wrote to memory of 4244	2084	svchost.exe	108
PID 2084 wrote to memory of 4244	2084	svchost.exe	108
PID 4468 wrote to memory of 2432	4468	MsiExec.exe	112
PID 4468 wrote to memory of 2432	4468	MsiExec.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\rserv34cn.exe
"C:\Users\Admin\AppData\Local\Temp\rserv34cn.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{ECF6FE39-A8B0-411B-83AC-75A17875FE6F}\rserv34cn.msi" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 74048D905452D31F8B9C0816A4885707 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6F739D14E272D58B6592F8FD6ABAE1B1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4056
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7D672335BF7387A6718C8C3BCCF39846
  2⤵
  - Loads dropped DLL
  PID:3084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 77A5EB6D3EE61B688C08B2F4A2650D6F E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3928
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1C697BDF25D67FA05D6445AA5B02F22A E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe
    "C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe" /stop
    3⤵
    - Executes dropped EXE
    PID:2164
- - C:\Windows\SysWOW64\rserver30\rsetup64.exe
    "C:\Windows\SysWOW64\rserver30\rsetup64.exe" /intsetup
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies data under HKEY_USERS
    PID:632
- - C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe
    "C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe" /intuninstall
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "c:\windows\syswow64\rserver30\mirrorv3.inf" "9" "40bbf019f" "0000000000000138" "WinSta0\Default" "0000000000000158" "208" "c:\windows\syswow64\rserver30"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2508
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c36c271b1f3e5101:mirrorv3:3.1.0.0:radmin_mirror_v3," "40bbf019f" "0000000000000138"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4244

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_D7897DB58F87E70B5D418519BA8C7C12

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

Filesize
1KB

MD5
1ba25895dc793e6826cbe8d61ddd8293

SHA1
6387cc55cbe9f71ae41b2425192b900a1eb3a54f

SHA256
cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a

SHA512
1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_D7897DB58F87E70B5D418519BA8C7C12

Filesize
404B

MD5
a6ca282aee165c8d55f45e01f5ac7aad

SHA1
e2b07ac06517dfd451f302ae1c154e9a7964cc0b

SHA256
633e6c04e3744fec15d0204e25944a72dd56ea90fa2e7aec4d7e25b5024c364b

SHA512
a8c9036ad91193f22c02ec4b053139443dafc6ae823e12b292fa4fa7fe15b8e21251ca49ce9b2f836a939e50c5118a64b99633fa117c29b1741aeb345b510ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

Filesize
182B

MD5
6b950279bf5c871bfdac309988860ad6

SHA1
78d0889ed3d7942357df65598d9d504aa843d9db

SHA256
b18ee9c23a492139c5e17e4086a57b5ad385a8c7c213d2ef4d78ce88eb74f638

SHA512
e1f0e3339fb1e63ab0f3045ecf7446e57f029bf6492f36bb347464390a869683e551cbc12bc2c881653f69c26a2efab4bf2363ad64d74235578202e410487ae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC

Filesize
404B

MD5
eaaf0706283a473d3c976ee7308c843b

SHA1
9b607b8c90dcc528dee587625f277e59d0920c92

SHA256
fb7ae2d793db3c0180ade0f15e636f5ae3e4f17bdde06dc1a6405f30a1b0e856

SHA512
0d5697dda0e9a979e49b20c0f9331633e3fcc7c77f6705ff492a754758289f66a3a11a71fa3cd472ea354d558a409db0ece5839187c82f44c51d5212a11abf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICDB0.tmp

Filesize
52KB

MD5
4a908ee9c6f2f4aad63382cccee731e4

SHA1
e572580949f277987fe232757ce88c2ac35e0223

SHA256
459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

SHA512
75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE3E.tmp

Filesize
84KB

MD5
abb81f7897bb48a036686ccf840287ae

SHA1
d6d648782584340bfa56c8e6d34fd70707af5d36

SHA256
9dc871199cc9e96067a32401d225af50683ac14efaf35edc61aa45f346374494

SHA512
4769d555b95ad593eae41e1cb91a9c7539b1c115b9b19a4954dec791f4d662388b459e3b7ad2964d5e0db4270406816582986d5a184bf55fd6c067906c2e0b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\rsetup64.exe

Filesize
70KB

MD5
6641ee263466f462f0e302f25c6312d2

SHA1
61e5421a46cdb51282b265d7e5366becde7e3673

SHA256
7c5ceec18e24518bdd90eccb62bfc058eba9c875b3ef8d9624f525cc3076459a

SHA512
49b98530f56eefcc03ba0e1529ef943457024cc7c963342c114738e8f4e6ce9b0712fcf4944f1caf53eb0faaafddd23938d55ec41d70741f1a4f5f3a22240f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\0x0409.ini

Filesize
5KB

MD5
52d179ad79966752ec40a678fd8b0062

SHA1
f12df9b03090286d1093b5421aea3acc358cc032

SHA256
57e020c41ad0566fb55415a40167a0c3da89584bc4e5f961d8e8c646f80c5590

SHA512
b5fb5002f1947a765a83c9a960c378b04adfe7acebbd8be79dca07c73d7ff96f5e988d8b6995c8ba6156a74ecdb0084e543090704080ea3095dbb80835cdf9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\1033.MST

Filesize
44KB

MD5
040b84af6f426db7bd01ea5d61bea173

SHA1
c9547a6638a7853d789a26f4b129d6fd184bd5f0

SHA256
254c4c749bcf204f1198cc73ecf3178b6974a64bd6975453217082967df64cae

SHA512
ec9eab27b5addf4225144fc34f0e1620cd456ebc53312584412f1d0988aaf53eeb347cd32728e9057ecea9ccc86db4df49ded7c3da4c3f914d26623efb75c4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\Setup.INI

Filesize
2KB

MD5
758c5ed62ff71f817b9ab30b8f039f23

SHA1
5b657f17aac044d79334b3637457d839a5bde9d9

SHA256
1dadaaae9125fce25ee2d0fecc8144e7383c8ddff5d7c7bfef186ec01267dc61

SHA512
d793ec47a18ddd6bec26f85af5718a950f33a84202735a938b0fc4881428c48ed76d7359e039f9deffc5293a9dc06f53a35c53cf75bd2b38997c1153c90c2603

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\_ISMSIDEL.INI

Filesize
201B

MD5
8129fb4320ade1f89da701814f973b41

SHA1
97d37823df357924a5b30aaca9e84da9acb6c4b7

SHA256
7d0642c4378e1f48261c35541ec42f3330bbf6abd84b5cf788fd0da9f73413c4

SHA512
6524cff39706801d4b4c92dd82f251f9f380159c2301b8c88fb38d46a9fc4c8d77fac168731d6be50965091bd9867eda84abb53db6df227150b15ba3e518e024

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\_ISMSIDEL.INI

Filesize
11B

MD5
3fdd2635aa94921522af8186f3c3d736

SHA1
0fe63553e9f993c0cb2cb36b8cdcfba4f4a2650d

SHA256
17ad78845c9c6a8e97a5bd14be56700a51ee85867c979ed6cf538e1fed82cf7c

SHA512
ebdbeefbdc777937fce516a1cbd9af7c305fc242091d695ad919a27c98fac5b6b16b44130bdf97dbfd10561cce701180b1fbb303d848944c3b33b8a3c058653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8003AA3-201D-4BB0-A6EA-6B59CBBD4199}\rserv34cn.msi

Filesize
5.6MB

MD5
1dac3f062b5fc9554700ef99ec0b6abf

SHA1
d08f114421bf8797db4eb5f01b86a977e7434f43

SHA256
cc0f6531d0afe6c0fc94b0491e3efd5de5e40ad06273fefab8349866e52fa33d

SHA512
672322e1c21cddf1efe03deb9264c58dfb476fd6d032f215431b87db0dfbbe95cece46de462568c6385ee849569f27f2569b228e358f799c1eef0769a6e432ee

Download Submit
C:\Windows\Installer\MSI4273.tmp

Filesize
101KB

MD5
4f3085722bf0e18a988034455b53dca1

SHA1
32ab2e7d9fd7dd3f9cf2f1b92f6568523ca6218f

SHA256
fea1f42e9ebc078204339afa4c0774162c730cbebf27fa86b9e695d55da110ab

SHA512
d046f8a9d0a4b061647c808895c5c4fe6921a4a484700c4894a5c0f771448a841a514b083fc3c94bc720e91b51dcf30ca50f6161b70376dad4b39452668b1233

Download Submit
C:\Windows\Installer\MSI443A.tmp

Filesize
89KB

MD5
0ffa26a6b269361f11dffe6cd4b99352

SHA1
ef432c3ebfde99a9ec08d76f80b0fc727f79248a

SHA256
e2d9a590ba293cea1d55a3886c81d55ffd4217568cd5c0584b52f50f1629c6b2

SHA512
3cf3b4473318134ec9c935821edb8c7634b823337babbf41c892250f40d46c5cf32094fc7fe14da228811ad65134c43fb46fba848c07c97f205cddb00ad392f3

Download Submit
C:\Windows\Installer\{3A8C4C87-D460-488A-A0AA-8993F6D355B1}\NewShortcut4_6BF1780B36EA432B9451DD84FF5C9D52.exe

Filesize
64KB

MD5
c20a2a9314375588db5eab2f4fe1487b

SHA1
c0ac75101d3f73d57a120e3e65c68bc707a22c1a

SHA256
565175e156b9f0dd577187ef927d669be023aee54904c9f8bd743e05e6263f0a

SHA512
e80eb1ca76e8cfce3fdfd73611a0e1fd64ea650307fc04e78244d9686f43215bed8a4e9bc1857af58e5514a34a03f7610fd32c697492496b4199b7c7567be8f6

Download Submit
C:\Windows\SysWOW64\rserver30\mirrorv3.inf

Filesize
2KB

MD5
f5273aae90874a5ba71b05642dff86af

SHA1
f532d104c395600492d4bf21951cceea42fe9178

SHA256
ebee10f12b7fc2d102b8cd1c173afb7494d9f77b938caeafe0873c4dabf86e4d

SHA512
7d26877b9af860db40ab16da0886889ede8a751f9ff77dabac0365751da02db5212f0fd413ae0b4bcf960bc515551e28f3301fc12e61690783c0ee8a42f303d6

Download Submit
C:\Windows\SysWOW64\rserver30\rserver3.exe

Filesize
1.2MB

MD5
7f4e16384fa3bdc035015148e768a87a

SHA1
81d62f525ca7ba1c765e15d08bd17d13f12b1457

SHA256
f4ef76d02e723d6533f524b42920b7ad319f9fabc7b4f398d2e9099978c94c84

SHA512
1e52951be927d8dfb73a018b54c8594adab4f6aeb9bad7aa96b991e95c56b74cc6fd77d9b3a989f04a963f15f3c05d75bbe1755067d5b46346d47f825b5a16fc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5fe4240d8cae9688cf4d6098f13cd4c3

SHA1
17a474621e125a48b7b359c092e635928c3dd407

SHA256
b63cd8ca3b02e3e0adb74f2cb84026b62411842165e169bd522864f85a9a881f

SHA512
a3d9134d2c486fee3965735f66a8fca6843f6c87b83277da529e46d5ec9d31df05fcdb352cdf8f2b64d1ef8f106b1ae7e43574d4f08518f62f16228cfb23259b

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89808647-a638-4f80-b8a9-945b5da02f95}_OnDiskSnapshotProp

Filesize
6KB

MD5
70245ee5be233a367caac936d167d4ca

SHA1
7d541ddb296472af9cf8760d5cc709eec700ad38

SHA256
96974d7ef8670908faf802a41d7d65ef65aac21b622b1c2b96746b34eff697a5

SHA512
02b2f1f0b6ae014cac0723fa1fd47b2b1557fe83dae2cee7b87f111b04a18849db1b1af1fd7796d06eb83a668820d1c6c37e56896e6b091c7b55b1562e44903b

Download Submit
\??\c:\windows\syswow64\RSERVE~1\mirrorv3.dll

Filesize
16KB

MD5
116bbd9926614070f4f01393d10eca08

SHA1
505ceba65e29daa4e091f7d4c497cf654344795d

SHA256
3cbe182b0828ef0e9533beecdad674f06dddc30b73a2c621e2460dadebd9b407

SHA512
ff426e88d850dd8da2f68109c7c69ce3da92287a307cfb7883c857c4f29ba8e7192b897c9851fca4943038eab0149fc259f2c997e4744fe40e32066437098e65

Download Submit
\??\c:\windows\syswow64\RSERVE~1\rminiv3.sys

Filesize
5KB

MD5
090ee52afdff9932909c480bdda0c8ce

SHA1
ae787dbf6a539818bccd1df037cdfe50ad5d08c2

SHA256
91be40f2b4d9912979611e0545f6a1e9d8af81ac149a11f46180ef5015e58cdf

SHA512
9b36d5afb6023d9d6a83b7d95d63ee2cfaa86e79021fda8400131c0ea742fab5e485a1eb226397d1677145295c897da248610aeb1a13211aa67d5af839431ac3

Download Submit
\??\c:\windows\syswow64\rserver30\mirrorv3.cat

Filesize
10KB

MD5
73b8eb012919dace778b41145c6df3ad

SHA1
0253ebc34886237d5a5d469ec48eb48077842aa5

SHA256
26d93aeacad81c893000e86dfe7fbaf6e6972861656567e211ac9db6f065812d

SHA512
a460d473dd76ecae59b29569f3eb4f81ac60aada07a7a609006969fc63236a3625570e54b6bf73adf403190cef0256746a1256850d28364a9067752ba7258653

Download Submit