hawkeye_reborn | hxxp://zahernabelsi[.]com/zahers/

Analysis

max time kernel
133s
max time network
150s
platform
windows10_x64
resource
win10v200217
submitted
21-02-2020 16:51

Sharing

Copy URL

Twitter E-mail

General

Target

http://zahernabelsi.com/zahers/
Sample

200221-xk83gt9c5j

Score

10^/10

keylogger trojan stealer spyware hawkeye_reborn evasion ransomware persistence discovery

Malware Config

Signatures

Modifies service 2 TTPs 161 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exemsiexec.exesrtasks.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000005fe444bcdfe8d5014008000024010000fc030000000000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Leave) = 480000000000000033a1e4bcdfe8d50140080000f403000007040000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 48000000000000001ccf24acdfe8d50188080000bc080000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 480000000000000069102abadfe8d501400800003409000002000000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 4800000000000000d8e39ebadfe8d5014008000054010000eb030000010000000200000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 480000000000000074f838bcdfe8d50140080000f4030000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Enter) = 480000000000000001bd3dbcdfe8d50140080000f4030000f2030000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Enter) = 48000000000000000178b0b9dfe8d50140080000a40c0000f9030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000e710d0bbdfe8d50140080000f4030000ef030000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 48000000000000007eeff2bcdfe8d50140080000ec030000fb030000010000000500000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{2cb2d4b6-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Leave) = 480000000000000041d212bcdfe8d501400800003c080000fd030000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Leave) = 4800000000000000672f91bcdfe8d50140080000f403000006040000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 48000000000000001ccf24acdfe8d50188080000bc080000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{2cb2d4b6-0000-0000-0000-500600000000}_)	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 4800000000000000bfcc42b9dfe8d50188080000900e0000e9030000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 48000000000000009d554cb9dfe8d50140080000a40c0000e9030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 480000000000000069102abadfe8d501400800006c0e000002000000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 4800000000000000c2ff32b8dfe8d50188080000bc080000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 4800000000000000051b51b9dfe8d50140080000a40c0000e9030000000000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000005fe444bcdfe8d501400800006c0e000004000000010000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 4800000000000000bd750dbadfe8d501400800006c0e0000ea030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Leave) = 48000000000000005fe444bcdfe8d50140080000f4030000f2030000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000937bbebcdfe8d501400800006c0e000005000000010000000400000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 48000000000000007eeff2bcdfe8d50140080000ec030000fb030000000000000500000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 480000000000000069102abadfe8d5014008000034090000ea030000000000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 48000000000000003c1f9abadfe8d50140080000f4030000eb030000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 4800000000000000a345a1badfe8d5014008000054010000eb030000000000000200000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000005fe444bcdfe8d50140080000700c0000fc030000000000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 48000000000000008cc9ccbcdfe8d50140080000f403000007040000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 48000000000000009f6627bddfe8d501400c00009c010000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Leave) = 4800000000000000e9073facdfe8d5014008000050010000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 48000000000000009d554cb9dfe8d50140080000b8070000e9030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 48000000000000000178b0b9dfe8d50140080000b8070000f9030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 480000000000000003732cbadfe8d501400800005401000002000000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Leave) = 4800000000000000d8e39ebadfe8d5014008000054010000eb030000000000000200000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 48000000000000005fe444bcdfe8d50140080000ec030000f2030000010000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 4800000000000000d87e35acdfe8d50188080000540c0000e8030000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 48000000000000001d9248acdfe8d50140080000a40c0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 480000000000000066a73cacdfe8d50140080000640d0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 480000000000000074f838bcdfe8d50140080000340e000004040000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 48000000000000005fe444bcdfe8d5014008000054010000f2030000000000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Leave) = 4800000000000000051b51b9dfe8d50140080000b8070000e9030000000000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Enter) = 4800000000000000a9d60fbadfe8d5014008000034090000ea030000010000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{2cb2d4b6-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 480000000000000074f838bcdfe8d501400800003c080000fe030000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000005fe444bcdfe8d50140080000ec03000004000000010000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 48000000000000005fe444bcdfe8d50140080000f403000006040000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000ae0920acdfe8d50188080000bc080000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 48000000000000009d554cb9dfe8d50140080000640d0000e9030000000000000100000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000d8e39ebadfe8d501400800005401000003000000010000000200000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Enter) = 48000000000000003ecfaabadfe8d50140080000ec030000eb030000010000000200000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 480000000000000041d212bcdfe8d50140080000f4030000fe030000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 480000000000000051b89abcdfe8d50140080000ec030000f5030000000000000400000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 4800000000000000223cd4b9dfe8d50140080000f403000002040000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000d8e39ebadfe8d50140080000700c0000fc030000010000000300000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 480000000000000074f838bcdfe8d50140080000340e000004040000010000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 480000000000000001bd3dbcdfe8d50140080000f4030000f4030000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000e64c06badfe8d50140080000f403000002040000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 480000000000000001bd3dbcdfe8d50188080000a40f00000a040000000000000000000000000000dd6406956825b048bd27da445a9e218200000000000000000000000000000000	msiexec.exe

Checks for installed software on the system 1 TTPs 60 IoCs

discovery

Query Registry

T1012

Processes:

msiexec.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	msiexec.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	msiexec.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI44D6.tmpRegSvcs.exe

description	pid	process
Token: SeShutdownPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeCreateTokenPrivilege	1776	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1776	msiexec.exe
Token: SeLockMemoryPrivilege	1776	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1776	msiexec.exe
Token: SeMachineAccountPrivilege	1776	msiexec.exe
Token: SeTcbPrivilege	1776	msiexec.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeTakeOwnershipPrivilege	1776	msiexec.exe
Token: SeLoadDriverPrivilege	1776	msiexec.exe
Token: SeSystemProfilePrivilege	1776	msiexec.exe
Token: SeSystemtimePrivilege	1776	msiexec.exe
Token: SeProfSingleProcessPrivilege	1776	msiexec.exe
Token: SeIncBasePriorityPrivilege	1776	msiexec.exe
Token: SeCreatePagefilePrivilege	1776	msiexec.exe
Token: SeCreatePermanentPrivilege	1776	msiexec.exe
Token: SeBackupPrivilege	1776	msiexec.exe
Token: SeRestorePrivilege	1776	msiexec.exe
Token: SeShutdownPrivilege	1776	msiexec.exe
Token: SeDebugPrivilege	1776	msiexec.exe
Token: SeAuditPrivilege	1776	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1776	msiexec.exe
Token: SeChangeNotifyPrivilege	1776	msiexec.exe
Token: SeRemoteShutdownPrivilege	1776	msiexec.exe
Token: SeUndockPrivilege	1776	msiexec.exe
Token: SeSyncAgentPrivilege	1776	msiexec.exe
Token: SeEnableDelegationPrivilege	1776	msiexec.exe
Token: SeManageVolumePrivilege	1776	msiexec.exe
Token: SeImpersonatePrivilege	1776	msiexec.exe
Token: SeCreateGlobalPrivilege	1776	msiexec.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeBackupPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeBackupPrivilege	3136	srtasks.exe
Token: SeRestorePrivilege	3136	srtasks.exe
Token: SeSecurityPrivilege	3136	srtasks.exe
Token: SeTakeOwnershipPrivilege	3136	srtasks.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeBackupPrivilege	3136	srtasks.exe
Token: SeRestorePrivilege	3136	srtasks.exe
Token: SeSecurityPrivilege	3136	srtasks.exe
Token: SeTakeOwnershipPrivilege	3136	srtasks.exe
Token: SeDebugPrivilege	612	MSI44D6.tmp
Token: SeDebugPrivilege	908	RegSvcs.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30795999"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c0000000002000000000010660000000100002000000074b289d9de02933d20e667ba24cf9a86e9e3b5c767071750d2d443ed7823733d000000000e8000000002000020000000d27f079f38087ae4b0f81d50854aca3f6a2b1a0920c66b441b50831b517c3a5520000000b15b14d7877bdca0620419158e72e1b674fa570e49bcccbadf110bd9947565144000000023edfc80062d33b2c1b9bc3e6c35c7f650d27cf9ed6e11bbe29a3da897cd08c3010a89a1df9264cda7cc09947d1ab1a44e52e5e282ff8c4011a6ebfadbab10a3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808069c3dfe8d501	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7b1739bb04e6d501	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30795999"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10137eb4dfe8d501	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DC93BF43-54D2-11EA-B6A1-D29F5EDD8868} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30795999"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c0000000002000000000010660000000100002000000054664aabf9bc5efff5784091b85bee20fac31ee9e25bf716675dc4fedbd9e1d2000000000e800000000200002000000039fa0ba1d7939f1c9ddb51145786496b785d2ce12acbf3f8a9881d7f42224f77e000000059af9aa12ac72e5e3d324e0727ef26f4c7aa840bdaa4bf4bbc8e6ad36471884b67be72581b2b60a2778c4d29d3baadd71829392c376726b2539f55ba9c451b8c00609ae9d1fb59123bede4c8656d0a8b16bd6c5c93abbf28d79c2fac5273129cd267ab758954a232adf17c28e9068bf12842e6261ae559b555145ee5b8eb44e470955a22f99fad1663d358345af5b861aae2c914e66c9dede1f5407919e27bb301dad5cc06500c95e06b2e22ce5665001a93ba3caf302fd11faf12ee1fe30082082a9eddba668e3a7490cd3483efaf875473caeca524ac5e83082aa95752e66340000000ffd5a5b16b4c709ad39fa87ed2211c4b56c15b9dc1d912be09d875489b2add8f9ac4ccf0dd042cc868721c315511b4203dce351052f83f274d5b151628149a1c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c000000000200000000001066000000010000200000004e12c53ecfdffff6ffcd37bcc40bd820acd5690f1432053f4760a316a253335b000000000e8000000002000020000000787982b12f7f58711755e68d92e827fba65cf28dbaa02552445e221486614bede000000096a50a5ac1fd39082249798008d68e941f8dcf29114c5371b64d59b2553576fcb34cc84fb5754d1b65902a7f93ce4e56f5048d767d95fb1f362a0b2ccba429b2941b813e636418aca9144f7e9ce96be54361d3ff3cd2d69e101fe4f7e005c0f92e1bf1eb1fbb7fe0e15915b034313e5db0be581a6a900f5e3bb2238c99bb31d4d9ce1cde2e409555d39e9b3524dfa6884088fd08b0eacd93478c6c66b47ac8a8705ccdfc2dd59bb13cf7ea4aafc748dff4e94e480a4c26e3208303f4e91f47ee4be04e4cb51ca25b7fdf4753ecea40d4af8db2e77b85f58d8d12e2d94980864e40000000d39e0b81837670a3d7a04694a844348b491785429ddc41ee24281893c053f1b9825a4768bd9f58007a82293c425a41d3c0186133ffa40423236da9577bb9835c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c0000000002000000000010660000000100002000000002c609f690d9d9d4a1ffdd210ae1bfa8581e85933473a4c7c25265db9e000e75000000000e80000000020000200000008abd25fcbe7ff16eaad16d7e0efc3d4dc1fc0c92fba258be7d8451ace84183e7200000004554f1adbb75f2695edba31f25ffacf189005b387de0a3e2ac912a17a44d40f44000000081c28cacd64fee39e47c2591ffa27744dc3bb706a436f3790770274d177487d5992b2a238ca06567bbaa822d07a266aee95feafe602864a996d27bf7fd32d762	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207674b4dfe8d501	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2970662550"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000671cc77501b1bb4a8c8ac6fabaa4446c00000000020000000000106600000001000020000000ed5aca0bffd47a7e4984357ad565f283b7ec93b32ba5fc1802f555c4fcd494dc000000000e80000000020000200000004a6bf3ced2278d5dc389d1726f22ea22b8ee3013c82dca6b1a4b07cdf870012b2000000071567716b2f5b70fbbf986a78440e411bee5c5dbb1d2abf83acb7cb70a0aa7834000000053531185e65b63d4ef604108060e9e90a2f7231407e36db37e41aa573ea3d3e55177a6376d8b1d8b5c287307f04a473e7bf4c732bcfe4ce64c683bcbf44230db	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{6002EF4D-FC06-452E-AD1F-CEA1854D4CC7}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2970662550"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3002537608"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies registry class 3 IoCs

Processes:

iexplore.exeMSI44D6.tmpOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000_Classes\Local Settings	MSI44D6.tmp
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000_Classes\Local Settings	OpenWith.exe

Discovering connected drives 3 TTPs 15 IoCs

ransomware

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeiexplore.exeIEXPLORE.EXEmsiexec.exesrtasks.exevssvc.exeMSI44D6.tmp

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\C:	iexplore.exe
File opened (read-only)	\??\C:	IEXPLORE.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\C:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\C:	srtasks.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\C:	msiexec.exe
File opened (read-only)	\??\C:	vssvc.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\C:	MSI44D6.tmp

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exe

pid	process
3836	iexplore.exe
3836	iexplore.exe
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe
1912	OpenWith.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1008 schtasks.exe
HawkEye Reborn
HawkEye Reborn is an enchanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn

pid	process
1008	schtasks.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\13dcf.msi	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSI44D6.tmp	msiexec.exe
File deleted	C:\Windows\Installer\MSI44D6.tmp	msiexec.exe
File deleted	C:\Windows\Installer\MSI42D0.tmp	msiexec.exe
File created	C:\Windows\Installer\13dcf.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created (read-only)	C:\Windows\Installer\MSI42D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44D6.tmp	msiexec.exe
File deleted	C:\Windows\Installer\13dcf.msi	msiexec.exe
File deleted	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

iexplore.exemsiexec.exeMSI44D6.tmp

description	pid	process	target process
PID 3836 wrote to memory of 3868	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 3868	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 3868	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 1776	3836	iexplore.exe	msiexec.exe
PID 3836 wrote to memory of 1776	3836	iexplore.exe	msiexec.exe
PID 2184 wrote to memory of 3136	2184	msiexec.exe	srtasks.exe
PID 2184 wrote to memory of 3136	2184	msiexec.exe	srtasks.exe
PID 2184 wrote to memory of 612	2184	msiexec.exe	MSI44D6.tmp
PID 2184 wrote to memory of 612	2184	msiexec.exe	MSI44D6.tmp
PID 2184 wrote to memory of 612	2184	msiexec.exe	MSI44D6.tmp
PID 612 wrote to memory of 1008	612	MSI44D6.tmp	schtasks.exe
PID 612 wrote to memory of 1008	612	MSI44D6.tmp	schtasks.exe
PID 612 wrote to memory of 1008	612	MSI44D6.tmp	schtasks.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe
PID 612 wrote to memory of 908	612	MSI44D6.tmp	RegSvcs.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exemsiexec.exe

pid process

3836 iexplore.exe
3836 iexplore.exe
1776 msiexec.exe
3836 iexplore.exe
1776 msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exeMSI44D6.tmp

pid	process
2184	msiexec.exe
2184	msiexec.exe
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp
612	MSI44D6.tmp

Executes dropped EXE 1 IoCs

Processes:

MSI44D6.tmp

pid process

612 MSI44D6.tmp
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI44D6.tmp

description pid process target process

PID 612 set thread context of 908 612 MSI44D6.tmp RegSvcs.exe

pid	process
612	MSI44D6.tmp

description	pid	process	target process
PID 612 set thread context of 908	612	MSI44D6.tmp	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://zahernabelsi.com/zahers/
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Discovering connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:3836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3836 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Discovering connected drives
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:3868

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W70IXR76\gf8oxriqyniw6zy.msi"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Suspicious use of FindShellTrayWindow
PID:1776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies service
- Checks for installed software on the system
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:3136

C:\Windows\Installer\MSI44D6.tmp
"C:\Windows\Installer\MSI44D6.tmp"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies registry class
- Discovering connected drives
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UdQkDzlHNFEt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AF.tmp"
3⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Discovering connected drives
PID:2112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3252

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:2928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W70IXR76\gf8oxriqyniw6zy.msi.294bb8s.partial

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AF.tmp

Download Submit
C:\Users\Admin\Downloads\gf8oxriqyniw6zy.zip.9v1evgp.partial

Download Submit
C:\Windows\Installer\MSI44D6.tmp

Download Submit
C:\Windows\Installer\MSI44D6.tmp

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Download Submit
\??\Volume{2cb2d4b6-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{950664dd-2568-48b0-bd27-da445a9e2182}_OnDiskSnapshotProp

Download Submit
memory/908-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2184-20-0x000002203FBC0000-0x000002203FBC1000-memory.dmp

Filesize
4KB

Download