1ae52558dadc5c5b388c0a64b6e54ead3280540b5a1db2d90f20d960257004dd

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7
submitted
09-07-2020 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

568a1s0ssssd7da.exe
Size

717KB
MD5

694515cebc637b78ef56b8f23c60b9a3
SHA1

266db1b85eebf7b3b0128ddbfcea85e3c428c12b
SHA256

1ae52558dadc5c5b388c0a64b6e54ead3280540b5a1db2d90f20d960257004dd
SHA512

baad45d41b5b6c50803bcb09221aa21316295f0ad1db009167c03070a4e600c0554d43904ff67150662860d1ce080029ecdaa96b006d0c5d56560bb417d35442

Score

10^/10

ransomware persistence spyware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?VVVVVVVV 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://7rzpyw3hflwe2c7h.onion/?VVVVVVVV

http://helpqvrg3cc5mvb3.onion/

Signatures

Suspicious use of SendNotifyMessage 107 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Drops file in Windows directory 44 IoCs

Processes:

msiexec.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSID94D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI72F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d1a3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE45A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF53E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6475.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3011.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6522.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6800.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	explorer.exe
File opened for modification	C:\Windows\Installer\MSI5938.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7169.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE38E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE68D.tmp	msiexec.exe
File created	C:\Windows\Installer\1d1a3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2028.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A85.tmp	msiexec.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	explorer.exe
File opened for modification	C:\Windows\Installer\MSI61C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7254.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DBD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\1d1a0.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC5B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE265.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF761.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI297C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5705.tmp	msiexec.exe
File created	C:\Windows\Installer\1d1a0.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE768.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6959.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B4B.tmp	msiexec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

568a1s0ssssd7da.exemsiexec.exe

description	pid	process	target process
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1464 wrote to memory of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe
PID 1548 wrote to memory of 816	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 816	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 816	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 816	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 816	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 580	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 1332	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 1332	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 1332	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 1332	1548	msiexec.exe	MsiExec.exe
PID 1548 wrote to memory of 1332	1548	msiexec.exe	MsiExec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

568a1s0ssssd7da.exe

description pid process target process

PID 1464 set thread context of 1620 1464 568a1s0ssssd7da.exe 568a1s0ssssd7da.exe

description	pid	process	target process
PID 1464 set thread context of 1620	1464	568a1s0ssssd7da.exe	568a1s0ssssd7da.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Drops startup file 1 IoCs

Processes:

568a1s0ssssd7da.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me.txt 568a1s0ssssd7da.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me.txt	568a1s0ssssd7da.exe

Modifies registry class 208 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID\ = "HxDS.HxRegisterProtocol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\Programmable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411197-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411199-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ = "Help HxProtocol"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\ = "HxRegistryWalker Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ = "HxProtocol Class"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\ProgID\ = "HxDS.HxRegisterProtocol.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\ = "HxRegisterSession Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411197-A502-11D2-BBCA-00C04F8EC294}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID\ = "HxDs.HxFilters"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411197-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\Programmable\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID\ = "HxDS.HxRegisterSession"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411199-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\Programmable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4536 IoCs

Processes:

568a1s0ssssd7da.exe

pid	process
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe
1620	568a1s0ssssd7da.exe

Suspicious use of AdjustPrivilegeToken 1005 IoCs

Processes:

explorer.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeIncreaseQuotaPrivilege	1776	explorer.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeSecurityPrivilege	1548	msiexec.exe
Token: SeCreateTokenPrivilege	1776	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	1776	explorer.exe
Token: SeLockMemoryPrivilege	1776	explorer.exe
Token: SeIncreaseQuotaPrivilege	1776	explorer.exe
Token: SeMachineAccountPrivilege	1776	explorer.exe
Token: SeTcbPrivilege	1776	explorer.exe
Token: SeSecurityPrivilege	1776	explorer.exe
Token: SeTakeOwnershipPrivilege	1776	explorer.exe
Token: SeLoadDriverPrivilege	1776	explorer.exe
Token: SeSystemProfilePrivilege	1776	explorer.exe
Token: SeSystemtimePrivilege	1776	explorer.exe
Token: SeProfSingleProcessPrivilege	1776	explorer.exe
Token: SeIncBasePriorityPrivilege	1776	explorer.exe
Token: SeCreatePagefilePrivilege	1776	explorer.exe
Token: SeCreatePermanentPrivilege	1776	explorer.exe
Token: SeBackupPrivilege	1776	explorer.exe
Token: SeRestorePrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeDebugPrivilege	1776	explorer.exe
Token: SeAuditPrivilege	1776	explorer.exe
Token: SeSystemEnvironmentPrivilege	1776	explorer.exe
Token: SeChangeNotifyPrivilege	1776	explorer.exe
Token: SeRemoteShutdownPrivilege	1776	explorer.exe
Token: SeUndockPrivilege	1776	explorer.exe
Token: SeSyncAgentPrivilege	1776	explorer.exe
Token: SeEnableDelegationPrivilege	1776	explorer.exe
Token: SeManageVolumePrivilege	1776	explorer.exe
Token: SeImpersonatePrivilege	1776	explorer.exe
Token: SeCreateGlobalPrivilege	1776	explorer.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeShutdownPrivilege	1776	explorer.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe

Suspicious use of FindShellTrayWindow 101 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid	process
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1776	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe
1652	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

740 explorer.exe

pid	process
740	explorer.exe

Drops desktop.ini file(s) 41 IoCs

Processes:

568a1s0ssssd7da.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	\??\M:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	568a1s0ssssd7da.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	568a1s0ssssd7da.exe

Loads dropped DLL 42 IoCs

Processes:

MsiExec.exeMsiExec.exemsiexec.exeMsiExec.exe

pid	process
816	MsiExec.exe
816	MsiExec.exe
580	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
580	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
580	MsiExec.exe
816	MsiExec.exe
580	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
580	MsiExec.exe
580	MsiExec.exe
1548	msiexec.exe
1548	msiexec.exe
580	MsiExec.exe
580	MsiExec.exe
580	MsiExec.exe
580	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe
1332	MsiExec.exe

Modifies service 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	explorer.exe

Registers COM server for autorun 1 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe

Drops file in Program Files directory 12078 IoCs

Processes:

568a1s0ssssd7da.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\excelcnv.exe	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	568a1s0ssssd7da.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_06.MID	568a1s0ssssd7da.exe
File created	C:\Program Files (x86)\Google\Update\Download\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00167_.GIF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msadcfr.dll	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DissolveNoise.png	568a1s0ssssd7da.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\IPOLKINTL.DLL	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATERMAR\WATERMAR.ELM	568a1s0ssssd7da.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-font.dll	568a1s0ssssd7da.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OISAPP.DLL	568a1s0ssssd7da.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	568a1s0ssssd7da.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\Read_Me.txt	568a1s0ssssd7da.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\StatusDoNotDisturb.ico	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	568a1s0ssssd7da.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml	568a1s0ssssd7da.exe
File created	C:\Program Files\Microsoft Office\MEDIA\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\POSTCD98.POC	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF	568a1s0ssssd7da.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\SETLANG.HXS	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\UrbanLetter.Dotx	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	568a1s0ssssd7da.exe
File created	C:\Program Files\Common Files\System\Read_Me.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.INF	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Recife	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt	568a1s0ssssd7da.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF	568a1s0ssssd7da.exe

C:\Users\Admin\AppData\Local\Temp\568a1s0ssssd7da.exe
"C:\Users\Admin\AppData\Local\Temp\568a1s0ssssd7da.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1464

C:\Users\Admin\AppData\Local\Temp\568a1s0ssssd7da.exe
"{path}"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1620

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of SendNotifyMessage
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Drops desktop.ini file(s)
- Modifies service
PID:1776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Registers COM server for autorun
- Modifies data under HKEY_USERS
PID:1548

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding A1FCF3F81C039F59AA63C13C17C15E6B
2⤵
- Loads dropped DLL
PID:816

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 74CED08A248517CF1F4BDF32A554E1C4
2⤵
- Loads dropped DLL
PID:580

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 711585DB22BAD5B6FB3547DC43DBDC52 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1332

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of SendNotifyMessage
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of SendNotifyMessage
- Modifies Installed Components in the registry
- Suspicious use of FindShellTrayWindow
- Modifies service
PID:1652

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops file in Windows directory
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Modifies service
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hx5733.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Read_Me.txt

Download Submit
C:\Users\Admin\Desktop\CompareUnpublish.wma.readme

Download Submit
C:\Users\Admin\Desktop\DisconnectAdd.ttc.readme

Download Submit
C:\Users\Admin\Desktop\DisconnectStep.csv.readme

Download Submit
C:\Users\Admin\Desktop\ExpandResume.clr.readme

Download Submit
C:\Users\Admin\Desktop\ExpandSearch.vsx.readme

Download Submit
C:\Users\Admin\Desktop\GroupOpen.vsd.readme

Download Submit
C:\Users\Admin\Desktop\JoinPing.css.readme

Download Submit
C:\Users\Admin\Desktop\LockEdit.reg.readme

Download Submit
C:\Users\Admin\Desktop\MeasureAdd.raw.readme

Download Submit
C:\Users\Admin\Desktop\MeasureDisconnect.wmv.readme

Download Submit
C:\Users\Admin\Desktop\MergeDeny.vb.readme

Download Submit
C:\Users\Admin\Desktop\MountApprove.mp4.readme

Download Submit
C:\Users\Admin\Desktop\MoveStop.js.readme

Download Submit
C:\Users\Admin\Desktop\ProtectApprove.3gp2.readme

Download Submit
C:\Users\Admin\Desktop\Read_Me.txt

Download Submit
C:\Users\Admin\Desktop\RepairGrant.pptm.readme

Download Submit
C:\Users\Admin\Desktop\ResetAdd.mpv2.readme

Download Submit
C:\Users\Admin\Desktop\ResetMeasure.3g2.readme

Download Submit
C:\Users\Admin\Desktop\RevokeUnlock.mpg.readme

Download Submit
C:\Users\Admin\Desktop\ShowUnprotect.contact.readme

Download Submit
C:\Users\Admin\Desktop\StartSelect.exe.readme

Download Submit
C:\Users\Admin\Desktop\SubmitPublish.raw.readme

Download Submit
C:\Users\Admin\Desktop\SubmitRepair.nfo.readme

Download Submit
C:\Users\Admin\Desktop\desktop.ini.readme

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.readme

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.readme

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.readme

Download Submit
C:\Users\Public\Desktop\Read_Me.txt

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.readme

Download Submit
C:\Users\Public\Desktop\desktop.ini.readme

Download Submit
C:\Windows\Installer\MSI2028.tmp

Download Submit
C:\Windows\Installer\MSI297C.tmp

Download Submit
C:\Windows\Installer\MSI3011.tmp

Download Submit
C:\Windows\Installer\MSI4AC4.tmp

Download Submit
C:\Windows\Installer\MSI5705.tmp

Download Submit
C:\Windows\Installer\MSI58F9.tmp

Download Submit
C:\Windows\Installer\MSI5938.tmp

Download Submit
C:\Windows\Installer\MSI59D5.tmp

Download Submit
C:\Windows\Installer\MSI5BCA.tmp

Download Submit
C:\Windows\Installer\MSI5C57.tmp

Download Submit
C:\Windows\Installer\MSI61C5.tmp

Download Submit
C:\Windows\Installer\MSI63F7.tmp

Download Submit
C:\Windows\Installer\MSI6475.tmp

Download Submit
C:\Windows\Installer\MSI6522.tmp

Download Submit
C:\Windows\Installer\MSI6800.tmp

Download Submit
C:\Windows\Installer\MSI68DB.tmp

Download Submit
C:\Windows\Installer\MSI6959.tmp

Download Submit
C:\Windows\Installer\MSI6DBD.tmp

Download Submit
C:\Windows\Installer\MSI6DED.tmp

Download Submit
C:\Windows\Installer\MSI6EF8.tmp

Download Submit
C:\Windows\Installer\MSI7169.tmp

Download Submit
C:\Windows\Installer\MSI7254.tmp

Download Submit
C:\Windows\Installer\MSI72F1.tmp

Download Submit
C:\Windows\Installer\MSI7B4B.tmp

Download Submit
C:\Windows\Installer\MSI7C27.tmp

Download Submit
C:\Windows\Installer\MSID94D.tmp

Download Submit
C:\Windows\Installer\MSIDB13.tmp

Download Submit
C:\Windows\Installer\MSIDC5B.tmp

Download Submit
C:\Windows\Installer\MSIE265.tmp

Download Submit
C:\Windows\Installer\MSIE38E.tmp

Download Submit
C:\Windows\Installer\MSIE45A.tmp

Download Submit
C:\Windows\Installer\MSIE68D.tmp

Download Submit
C:\Windows\Installer\MSIE768.tmp

Download Submit
C:\Windows\Installer\MSIF53E.tmp

Download Submit
C:\Windows\Installer\MSIF761.tmp

Download Submit
C:\Windows\Installer\MSIFA6E.tmp

Download Submit
\??\M:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini

Download Submit
\Program Files\Microsoft Office\Office14\VVIEWDWG.DLL

Download Submit
\Program Files\Microsoft Office\Office14\VVIEWDWG.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\Hx5733.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx5733.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx5733.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx5733.tmp

Download Submit
\Windows\Installer\MSI2028.tmp

Download Submit
\Windows\Installer\MSI297C.tmp

Download Submit
\Windows\Installer\MSI3011.tmp

Download Submit
\Windows\Installer\MSI4AC4.tmp

Download Submit
\Windows\Installer\MSI5705.tmp

Download Submit
\Windows\Installer\MSI58F9.tmp

Download Submit
\Windows\Installer\MSI5938.tmp

Download Submit
\Windows\Installer\MSI59D5.tmp

Download Submit
\Windows\Installer\MSI5BCA.tmp

Download Submit
\Windows\Installer\MSI5C57.tmp

Download Submit
\Windows\Installer\MSI61C5.tmp

Download Submit
\Windows\Installer\MSI63F7.tmp

Download Submit
\Windows\Installer\MSI6475.tmp

Download Submit
\Windows\Installer\MSI6522.tmp

Download Submit
\Windows\Installer\MSI6800.tmp

Download Submit
\Windows\Installer\MSI68DB.tmp

Download Submit
\Windows\Installer\MSI6959.tmp

Download Submit
\Windows\Installer\MSI6DBD.tmp

Download Submit
\Windows\Installer\MSI6DED.tmp

Download Submit
\Windows\Installer\MSI6EF8.tmp

Download Submit
\Windows\Installer\MSI7169.tmp

Download Submit
\Windows\Installer\MSI7254.tmp

Download Submit
\Windows\Installer\MSI72F1.tmp

Download Submit
\Windows\Installer\MSI7B4B.tmp

Download Submit
\Windows\Installer\MSI7C27.tmp

Download Submit
\Windows\Installer\MSID94D.tmp

Download Submit
\Windows\Installer\MSIDB13.tmp

Download Submit
\Windows\Installer\MSIDC5B.tmp

Download Submit
\Windows\Installer\MSIE265.tmp

Download Submit
\Windows\Installer\MSIE38E.tmp

Download Submit
\Windows\Installer\MSIE45A.tmp

Download Submit
\Windows\Installer\MSIE68D.tmp

Download Submit
\Windows\Installer\MSIE768.tmp

Download Submit
\Windows\Installer\MSIF53E.tmp

Download Submit
\Windows\Installer\MSIF761.tmp

Download Submit
\Windows\Installer\MSIFA6E.tmp

Download Submit
memory/580-11-0x0000000000000000-mapping.dmp

Download
memory/740-111-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/816-6-0x0000000000000000-mapping.dmp

Download
memory/1332-120-0x0000000000000000-mapping.dmp

Download
memory/1464-32-0x0000000009110000-0x0000000009114000-memory.dmp

Filesize
16KB

Download
memory/1464-33-0x0000000004910000-0x0000000004914000-memory.dmp

Filesize
16KB

Download
memory/1548-119-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/1548-142-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/1548-140-0x0000000005A40000-0x0000000005A44000-memory.dmp

Filesize
16KB

Download
memory/1548-48-0x0000000002F30000-0x0000000002F34000-memory.dmp

Filesize
16KB

Download
memory/1548-143-0x00000000013E0000-0x00000000013E4000-memory.dmp

Filesize
16KB

Download
memory/1548-104-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/1548-49-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download
memory/1548-133-0x0000000005A40000-0x0000000005A44000-memory.dmp

Filesize
16KB

Download
memory/1620-1-0x0000000000407CA0-mapping.dmp

Download
memory/1620-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-2-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1652-42-0x00000000042E0000-0x00000000042E4000-memory.dmp

Filesize
16KB

Download
memory/1652-37-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1652-45-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1652-38-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1652-40-0x0000000008AE0000-0x0000000008AE4000-memory.dmp

Filesize
16KB

Download
memory/1776-4-0x00000000097A0000-0x00000000097A4000-memory.dmp

Filesize
16KB

Download
memory/1776-5-0x0000000004E90000-0x0000000004E94000-memory.dmp

Filesize
16KB

Download
memory/1776-3-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download