82375e3a9ac1890fa3fb693673e107e4fab53778a2d4cb9b00c4f045dd995697

Analysis

max time kernel
124s
max time network
70s
platform
windows7_x64
resource
win7v200722
submitted
14-08-2020 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCryptSoft.bin.exe
Size

106KB
MD5

8ba537f8d00a73d6cc1cc5dffa566ed1
SHA1

08419f52af8acc1bdac239bd65f64414597a8d96
SHA256

aac2024789ffd2bfce97d6a509136ecf7c43b18c2a83280b596e62d988cedb10
SHA512

7bc28f475d504e945d690ad998987d4184269dac8f7470842f356a50f9ff59dd1595b6cf87b2015844d7c3cf84e39f989a648700d28561251dc59428177a14f7

Score

10^/10

ransomware persistence spyware

Malware Config

Extracted

Path

\??\M:\Boot\cs-CZ\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://54fjmcwsszltlixn.onion/?QQQQQQQQ 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://54fjmcwsszltlixn.onion/?QQQQQQQQ

http://helpqvrg3cc5mvb3.onion/

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

DCryptSoft.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportFind.png => C:\Users\Admin\Pictures\ExportFind.png.readme	DCryptSoft.bin.exe
File renamed	C:\Users\Admin\Pictures\GetSend.tif => C:\Users\Admin\Pictures\GetSend.tif.readme	DCryptSoft.bin.exe
File renamed	C:\Users\Admin\Pictures\ReadSearch.raw => C:\Users\Admin\Pictures\ReadSearch.raw.readme	DCryptSoft.bin.exe

Drops startup file 1 IoCs

Processes:

DCryptSoft.bin.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me.txt DCryptSoft.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Read_Me.txt	DCryptSoft.bin.exe

Loads dropped DLL 42 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid	process
1944	MsiExec.exe
1944	MsiExec.exe
864	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
864	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
864	MsiExec.exe
1944	MsiExec.exe
864	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1944	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1668	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 41 IoCs

Processes:

DCryptSoft.bin.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JSOYQ5ME\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DUF815Z1\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YAUNGDT1\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Z1YRRYOY\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DCryptSoft.bin.exe
File opened for modification	\??\M:\$RECYCLE.BIN\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini	explorer.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DCryptSoft.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DCryptSoft.bin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

JavaScript code in executable 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp	js
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp	js
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp	js
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp	js
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp	js

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	explorer.exe

Drops file in Program Files directory 12075 IoCs

Processes:

DCryptSoft.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\La_Paz	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_OFF.GIF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\RICHED20.DLL	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF	DCryptSoft.bin.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14528_.GIF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSPUB.TLB	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VVIEWER.DLL	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	DCryptSoft.bin.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00175_.GIF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD01659_.WMF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libgl_plugin.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	DCryptSoft.bin.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GROOVE.HXS	DCryptSoft.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png	DCryptSoft.bin.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe	DCryptSoft.bin.exe
File created	C:\Program Files\WindowsPowerShell\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\chrome.dll.sig	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml	DCryptSoft.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\Read_Me.txt	DCryptSoft.bin.exe
File created	C:\Program Files\Windows Sidebar\en-US\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099173.WMF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\BORDERS\MSART4.BDR	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\NAMECONTROLPROXY.DLL	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll	DCryptSoft.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\Read_Me.txt	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_fil.dll	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\release	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\JUNGLE.GIF	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_pt_BR.properties	DCryptSoft.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guatemala	DCryptSoft.bin.exe

Drops file in Windows directory 44 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5653.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8960.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB492.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4454.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE26C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI542F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8652.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF7F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\18ef5.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3590.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI874D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI985A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI485B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8025.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF9.tmp	msiexec.exe
File created	C:\Windows\Installer\18ef8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI825A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3561.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42DB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5577.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5933.tmp	msiexec.exe
File created	C:\Windows\Installer\18ef5.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\18ef8.ipi	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 268 IoCs

Processes:

msiexec.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411197-A502-11D2-BBCA-00C04F8EC294}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\ = "HxFilters Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\ProgID\ = "HxDs.HxRegister.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{314111d9-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID\ = "HxDs.HxFilters"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\ = "HxSession Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\ProgID\ = "HxDS.HxSession.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111e2-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\ = "HxRegisterProtocol Class"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\Programmable\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\ProgID\ = "Hxds.HxPlugIn.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_Classes\Local Settings	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C04E4E5E-89E6-43C0-92BD-D3F2C7FBA5C4}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\ProgID\ = "HxDS.HxRegisterProtocol.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111db-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SOFTWARE\Microsoft\HTMLHelp\2.0\LocalReg\CLSID\{314111bd-a502-11d2-bbca-00c04f8ec294}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31411219-a502-11d2-bbca-00c04f8ec294}\VersionIndependentProgID	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f0-a502-11d2-bbca-00c04f8ec294}\ = "HxRegistryWalker Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111f7-a502-11d2-bbca-00c04f8ec294}\TypeLib\ = "{31411197-a502-11d2-bbca-00c04f8ec294}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411198-a502-11d2-bbca-00c04f8ec294}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{31411228-a502-11d2-bbca-00c04f8ec294}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\Programmable\	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0601-0000-0000-C000-000000000046}\ProxyStubClsid	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4514 IoCs

Processes:

DCryptSoft.bin.exe

pid	process
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe
828	DCryptSoft.bin.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

1904 explorer.exe
976 explorer.exe

pid	process
1904	explorer.exe
976	explorer.exe

Suspicious use of AdjustPrivilegeToken 1089 IoCs

Processes:

explorer.exemsiexec.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeIncreaseQuotaPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeCreateTokenPrivilege	796	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	796	explorer.exe
Token: SeLockMemoryPrivilege	796	explorer.exe
Token: SeIncreaseQuotaPrivilege	796	explorer.exe
Token: SeMachineAccountPrivilege	796	explorer.exe
Token: SeTcbPrivilege	796	explorer.exe
Token: SeSecurityPrivilege	796	explorer.exe
Token: SeTakeOwnershipPrivilege	796	explorer.exe
Token: SeLoadDriverPrivilege	796	explorer.exe
Token: SeSystemProfilePrivilege	796	explorer.exe
Token: SeSystemtimePrivilege	796	explorer.exe
Token: SeProfSingleProcessPrivilege	796	explorer.exe
Token: SeIncBasePriorityPrivilege	796	explorer.exe
Token: SeCreatePagefilePrivilege	796	explorer.exe
Token: SeCreatePermanentPrivilege	796	explorer.exe
Token: SeBackupPrivilege	796	explorer.exe
Token: SeRestorePrivilege	796	explorer.exe
Token: SeShutdownPrivilege	796	explorer.exe
Token: SeDebugPrivilege	796	explorer.exe
Token: SeAuditPrivilege	796	explorer.exe
Token: SeSystemEnvironmentPrivilege	796	explorer.exe
Token: SeChangeNotifyPrivilege	796	explorer.exe
Token: SeRemoteShutdownPrivilege	796	explorer.exe
Token: SeUndockPrivilege	796	explorer.exe
Token: SeSyncAgentPrivilege	796	explorer.exe
Token: SeEnableDelegationPrivilege	796	explorer.exe
Token: SeManageVolumePrivilege	796	explorer.exe
Token: SeImpersonatePrivilege	796	explorer.exe
Token: SeCreateGlobalPrivilege	796	explorer.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeRestorePrivilege	1684	msiexec.exe

Suspicious use of FindShellTrayWindow 98 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious use of SendNotifyMessage 115 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
796	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1380	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

msiexec.exeMsiExec.exewevtutil.exe

description	pid	process	target process
PID 1684 wrote to memory of 1944	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1944	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1944	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1944	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1944	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 864	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1880	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1880	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1880	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1880	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1880	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1684 wrote to memory of 1668	1684	msiexec.exe	MsiExec.exe
PID 1668 wrote to memory of 1992	1668	MsiExec.exe	wevtutil.exe
PID 1668 wrote to memory of 1992	1668	MsiExec.exe	wevtutil.exe
PID 1668 wrote to memory of 1992	1668	MsiExec.exe	wevtutil.exe
PID 1668 wrote to memory of 1992	1668	MsiExec.exe	wevtutil.exe
PID 1992 wrote to memory of 1612	1992	wevtutil.exe	wevtutil.exe
PID 1992 wrote to memory of 1612	1992	wevtutil.exe	wevtutil.exe
PID 1992 wrote to memory of 1612	1992	wevtutil.exe	wevtutil.exe
PID 1992 wrote to memory of 1612	1992	wevtutil.exe	wevtutil.exe

C:\Users\Admin\AppData\Local\Temp\DCryptSoft.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DCryptSoft.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops desktop.ini file(s)
- Modifies service
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 4927525E2EA4DF38A1EE24C2E156BBDF
2⤵
- Loads dropped DLL
PID:1944

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 714E150F4331D8FC73C1F3245146333C
2⤵
- Loads dropped DLL
PID:864

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding B66CA7BBB76453ADF451DE3285AD22DD M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1880

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D00ED027D9C1D40072F54DA87F32A331 M Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\syswow64\wevtutil.exe
"wevtutil.exe" im "C:\Program Files\Microsoft Office\Office14\BCSEvents.man"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wevtutil.exe
"wevtutil.exe" im "C:\Program Files\Microsoft Office\Office14\BCSEvents.man" /fromwow64
4⤵
PID:1612

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1412

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:2036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies service
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\en-US\

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\Read_Me.txt

Download Submit
C:\Users\Admin\Desktop\CheckpointInstall.vsdm.readme

Download Submit
C:\Users\Admin\Desktop\CheckpointLimit.eps.readme

Download Submit
C:\Users\Admin\Desktop\CompressDisable.odt.readme

Download Submit
C:\Users\Admin\Desktop\CompressUndo.WTV.readme

Download Submit
C:\Users\Admin\Desktop\EnableExpand.ogg.readme

Download Submit
C:\Users\Admin\Desktop\EnablePing.mhtml.readme

Download Submit
C:\Users\Admin\Desktop\GroupUnregister.ods.readme

Download Submit
C:\Users\Admin\Desktop\ImportUnlock.ram.readme

Download Submit
C:\Users\Admin\Desktop\OptimizeAdd.mpeg3.readme

Download Submit
C:\Users\Admin\Desktop\PopPing.aif.readme

Download Submit
C:\Users\Admin\Desktop\ProtectExpand.vsd.readme

Download Submit
C:\Users\Admin\Desktop\PublishExit.png.readme

Download Submit
C:\Users\Admin\Desktop\Read_Me.txt

Download Submit
C:\Users\Admin\Desktop\RenameSelect.wav.readme

Download Submit
C:\Users\Admin\Desktop\RestoreFormat.sql.readme

Download Submit
C:\Users\Admin\Desktop\RestoreWrite.xlsb.readme

Download Submit
C:\Users\Admin\Desktop\ResumeDisable.xhtml.readme

Download Submit
C:\Users\Admin\Desktop\RevokeUnlock.dib.readme

Download Submit
C:\Users\Admin\Desktop\SkipClose.gif.readme

Download Submit
C:\Users\Admin\Desktop\SubmitDebug.rmi.readme

Download Submit
C:\Users\Admin\Desktop\SwitchEnter.vb.readme

Download Submit
C:\Users\Admin\Desktop\TraceEnter.wax.readme

Download Submit
C:\Users\Admin\Desktop\UnblockReceive.vb.readme

Download Submit
C:\Users\Admin\Desktop\desktop.ini.readme

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk.readme

Download Submit
C:\Users\Public\Desktop\Firefox.lnk.readme

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk.readme

Download Submit
C:\Users\Public\Desktop\Read_Me.txt

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.readme

Download Submit
C:\Users\Public\Desktop\desktop.ini.readme

Download Submit
C:\Windows\Installer\MSI3590.tmp

Download Submit
C:\Windows\Installer\MSI3F13.tmp

Download Submit
C:\Windows\Installer\MSI42DB.tmp

Download Submit
C:\Windows\Installer\MSI43B7.tmp

Download Submit
C:\Windows\Installer\MSI4454.tmp

Download Submit
C:\Windows\Installer\MSI45EA.tmp

Download Submit
C:\Windows\Installer\MSI485B.tmp

Download Submit
C:\Windows\Installer\MSI542F.tmp

Download Submit
C:\Windows\Installer\MSI5577.tmp

Download Submit
C:\Windows\Installer\MSI5653.tmp

Download Submit
C:\Windows\Installer\MSI56D0.tmp

Download Submit
C:\Windows\Installer\MSI58B5.tmp

Download Submit
C:\Windows\Installer\MSI5933.tmp

Download Submit
C:\Windows\Installer\MSI59EF.tmp

Download Submit
C:\Windows\Installer\MSI8025.tmp

Download Submit
C:\Windows\Installer\MSI80D2.tmp

Download Submit
C:\Windows\Installer\MSI825A.tmp

Download Submit
C:\Windows\Installer\MSI84EA.tmp

Download Submit
C:\Windows\Installer\MSI8652.tmp

Download Submit
C:\Windows\Installer\MSI874D.tmp

Download Submit
C:\Windows\Installer\MSI8960.tmp

Download Submit
C:\Windows\Installer\MSI8FE6.tmp

Download Submit
C:\Windows\Installer\MSI91EA.tmp

Download Submit
C:\Windows\Installer\MSI92EB.tmp

Download Submit
C:\Windows\Installer\MSI95CA.tmp

Download Submit
C:\Windows\Installer\MSI985A.tmp

Download Submit
C:\Windows\Installer\MSIB43.tmp

Download Submit
C:\Windows\Installer\MSIB492.tmp

Download Submit
C:\Windows\Installer\MSIB6F3.tmp

Download Submit
C:\Windows\Installer\MSIB7BF.tmp

Download Submit
C:\Windows\Installer\MSIB8D9.tmp

Download Submit
C:\Windows\Installer\MSIBB1B.tmp

Download Submit
C:\Windows\Installer\MSICF9.tmp

Download Submit
C:\Windows\Installer\MSIDFAC.tmp

Download Submit
C:\Windows\Installer\MSIE0C6.tmp

Download Submit
C:\Windows\Installer\MSIE26C.tmp

Download Submit
C:\Windows\Installer\MSIF7F0.tmp

Download Submit
C:\Windows\Installer\MSIFF31.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp

Download Submit
\Users\Admin\AppData\Local\Temp\Hx3F8E.tmp

Download Submit
\Windows\Installer\MSI3590.tmp

Download Submit
\Windows\Installer\MSI3F13.tmp

Download Submit
\Windows\Installer\MSI42DB.tmp

Download Submit
\Windows\Installer\MSI43B7.tmp

Download Submit
\Windows\Installer\MSI4454.tmp

Download Submit
\Windows\Installer\MSI45EA.tmp

Download Submit
\Windows\Installer\MSI485B.tmp

Download Submit
\Windows\Installer\MSI542F.tmp

Download Submit
\Windows\Installer\MSI5577.tmp

Download Submit
\Windows\Installer\MSI5653.tmp

Download Submit
\Windows\Installer\MSI56D0.tmp

Download Submit
\Windows\Installer\MSI58B5.tmp

Download Submit
\Windows\Installer\MSI5933.tmp

Download Submit
\Windows\Installer\MSI59EF.tmp

Download Submit
\Windows\Installer\MSI8025.tmp

Download Submit
\Windows\Installer\MSI80D2.tmp

Download Submit
\Windows\Installer\MSI825A.tmp

Download Submit
\Windows\Installer\MSI84EA.tmp

Download Submit
\Windows\Installer\MSI8652.tmp

Download Submit
\Windows\Installer\MSI874D.tmp

Download Submit
\Windows\Installer\MSI8960.tmp

Download Submit
\Windows\Installer\MSI8FE6.tmp

Download Submit
\Windows\Installer\MSI91EA.tmp

Download Submit
\Windows\Installer\MSI92EB.tmp

Download Submit
\Windows\Installer\MSI95CA.tmp

Download Submit
\Windows\Installer\MSI985A.tmp

Download Submit
\Windows\Installer\MSIB43.tmp

Download Submit
\Windows\Installer\MSIB492.tmp

Download Submit
\Windows\Installer\MSIB6F3.tmp

Download Submit
\Windows\Installer\MSIB7BF.tmp

Download Submit
\Windows\Installer\MSIB8D9.tmp

Download Submit
\Windows\Installer\MSIBB1B.tmp

Download Submit
\Windows\Installer\MSICF9.tmp

Download Submit
\Windows\Installer\MSIDFAC.tmp

Download Submit
\Windows\Installer\MSIE0C6.tmp

Download Submit
\Windows\Installer\MSIE26C.tmp

Download Submit
\Windows\Installer\MSIF7F0.tmp

Download Submit
\Windows\Installer\MSIFF31.tmp

Download Submit
memory/796-2-0x00000000097D0000-0x00000000097D4000-memory.dmp

Filesize
16KB

Download
memory/796-3-0x0000000004FD0000-0x0000000004FD4000-memory.dmp

Filesize
16KB

Download
memory/796-0-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/864-9-0x0000000000000000-mapping.dmp

Download
memory/976-150-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/976-151-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1380-25-0x0000000004C40000-0x0000000004C44000-memory.dmp

Filesize
16KB

Download
memory/1380-24-0x0000000009200000-0x0000000009204000-memory.dmp

Filesize
16KB

Download
memory/1412-22-0x00000000090C0000-0x00000000090C4000-memory.dmp

Filesize
16KB

Download
memory/1412-23-0x00000000048C0000-0x00000000048C4000-memory.dmp

Filesize
16KB

Download
memory/1612-140-0x0000000000000000-mapping.dmp

Download
memory/1668-136-0x0000000000000000-mapping.dmp

Download
memory/1684-146-0x0000000005DA0000-0x0000000005DA4000-memory.dmp

Filesize
16KB

Download
memory/1684-148-0x0000000000F00000-0x0000000000F04000-memory.dmp

Filesize
16KB

Download
memory/1684-45-0x0000000000F00000-0x0000000000F04000-memory.dmp

Filesize
16KB

Download
memory/1684-44-0x0000000001390000-0x0000000001394000-memory.dmp

Filesize
16KB

Download
memory/1684-149-0x0000000001390000-0x0000000001394000-memory.dmp

Filesize
16KB

Download
memory/1684-133-0x0000000005DA0000-0x0000000005DA4000-memory.dmp

Filesize
16KB

Download
memory/1684-107-0x0000000001390000-0x0000000001394000-memory.dmp

Filesize
16KB

Download
memory/1684-131-0x0000000005DA0000-0x0000000005DA4000-memory.dmp

Filesize
16KB

Download
memory/1684-88-0x0000000000F00000-0x0000000000F04000-memory.dmp

Filesize
16KB

Download
memory/1684-117-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/1684-96-0x0000000000F00000-0x0000000000F04000-memory.dmp

Filesize
16KB

Download
memory/1880-118-0x0000000000000000-mapping.dmp

Download
memory/1904-37-0x0000000004A10000-0x0000000004A14000-memory.dmp

Filesize
16KB

Download
memory/1904-28-0x0000000004A10000-0x0000000004A14000-memory.dmp

Filesize
16KB

Download
memory/1904-27-0x0000000008FD0000-0x0000000008FD4000-memory.dmp

Filesize
16KB

Download
memory/1944-4-0x0000000000000000-mapping.dmp

Download
memory/1992-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads