cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5

Analysis

max time kernel
204s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-04-2022 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
Size

768KB
MD5

b91a0667873d96294f66defbdf11c315
SHA1

cdc042cf69fd0c6999e77a8f6c81c99912a8bcf5
SHA256

cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5
SHA512

ff47c9cece19f728a62bf5a40ed646a3aa8fb33a0015dd0c395b889d20683a6d21ea2dd851c50ccf52e8095425ffdccf26a5aebc76843380cc520757895a7685

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 1 IoCs

Processes:

MSI39F7.tmp

pid process

3000 MSI39F7.tmp
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3000	MSI39F7.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe

Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeMsiExec.exevcredist_x86.exeVC_redist.x64.exeMsiExec.exeMsiExec.exe

pid process

2448 MsiExec.exe
536 MsiExec.exe
536 MsiExec.exe
2836 vcredist_x86.exe
1588 VC_redist.x64.exe
3400 MsiExec.exe
488 MsiExec.exe

pid	process
2448	MsiExec.exe
536	MsiExec.exe
536	MsiExec.exe
2836	vcredist_x86.exe
1588	VC_redist.x64.exe
3400	MsiExec.exe
488	MsiExec.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vcredist_x86.exeVC_redist.x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20220427200020.log\" /uninstall /quiet /norestart ignored /burn.runonce"	vcredist_x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13} = "\"C:\\ProgramData\\Package Cache\\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vcredist_x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 46 IoCs

Processes:

msiexec.execac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mfc110deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp110.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\mms.cfg	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
File opened for modification	C:\Windows\SysWOW64\mfc110u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm110u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm120u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp110.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\macromed\Flash\mms.cfg	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc110cht.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ja.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash@2x.gif	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\Welcome.html	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\CIEXYZ.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\zip.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\sound.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\verify.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\npjp2.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunjce_provider.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\trusted.libraries	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\deployJava1.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_iio.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\GRAY.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\localedata.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\splashscreen.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\tzdb.dat	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_ko.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\cldrdata.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\wsdetect.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\javaws.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\currency.data	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiItalic.ttf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dcpr.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\j2pkcs11.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\charsets.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\cacerts	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\glass.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\w2k_lsa_auth.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\Xusage.txt	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\rt.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dt_shmem.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kcms.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\resource.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jaccess.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font_t2k.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\msvcp120.dll	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI39F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA24A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI505E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6781.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA15F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9FB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI734B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7FFE.tmp	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5072 2836 WerFault.exe vcredist_x86.exe
3888 1588 WerFault.exe VC_redist.x64.exe

pid	pid_target	process	target process
5072	2836	WerFault.exe	vcredist_x86.exe
3888	1588	WerFault.exe	VC_redist.x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

MSI39F7.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI39F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI39F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	MSI39F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	MSI39F7.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	MSI39F7.tmp

Modifies data under HKEY_USERS 12 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

MSI39F7.tmp

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0101-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0069-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0037-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0089-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0058-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0034-ABCDEFFEDCBC}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0041-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0075-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0039-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0047-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0017-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0064-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBA}\INPROCSERVER32	MSI39F7.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0008-ABCDEFFEDCBB}\INPROCSERVER32	MSI39F7.tmp

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exeMSI39F7.tmpjp2launcher.exemsiexec.exe

pid	process
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
3000	MSI39F7.tmp
3000	MSI39F7.tmp
4688	jp2launcher.exe
4688	jp2launcher.exe
924	msiexec.exe
924	msiexec.exe
924	msiexec.exe
924	msiexec.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
924	msiexec.exe
924	msiexec.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exeMSI39F7.tmp

description	pid	process
Token: SeShutdownPrivilege	224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	224	msiexec.exe
Token: SeSecurityPrivilege	924	msiexec.exe
Token: SeCreateTokenPrivilege	224	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	224	msiexec.exe
Token: SeLockMemoryPrivilege	224	msiexec.exe
Token: SeIncreaseQuotaPrivilege	224	msiexec.exe
Token: SeMachineAccountPrivilege	224	msiexec.exe
Token: SeTcbPrivilege	224	msiexec.exe
Token: SeSecurityPrivilege	224	msiexec.exe
Token: SeTakeOwnershipPrivilege	224	msiexec.exe
Token: SeLoadDriverPrivilege	224	msiexec.exe
Token: SeSystemProfilePrivilege	224	msiexec.exe
Token: SeSystemtimePrivilege	224	msiexec.exe
Token: SeProfSingleProcessPrivilege	224	msiexec.exe
Token: SeIncBasePriorityPrivilege	224	msiexec.exe
Token: SeCreatePagefilePrivilege	224	msiexec.exe
Token: SeCreatePermanentPrivilege	224	msiexec.exe
Token: SeBackupPrivilege	224	msiexec.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeShutdownPrivilege	224	msiexec.exe
Token: SeDebugPrivilege	224	msiexec.exe
Token: SeAuditPrivilege	224	msiexec.exe
Token: SeSystemEnvironmentPrivilege	224	msiexec.exe
Token: SeChangeNotifyPrivilege	224	msiexec.exe
Token: SeRemoteShutdownPrivilege	224	msiexec.exe
Token: SeUndockPrivilege	224	msiexec.exe
Token: SeSyncAgentPrivilege	224	msiexec.exe
Token: SeEnableDelegationPrivilege	224	msiexec.exe
Token: SeManageVolumePrivilege	224	msiexec.exe
Token: SeImpersonatePrivilege	224	msiexec.exe
Token: SeCreateGlobalPrivilege	224	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeDebugPrivilege	3000	MSI39F7.tmp
Token: SeBackupPrivilege	3000	MSI39F7.tmp
Token: SeRestorePrivilege	3000	MSI39F7.tmp
Token: SeBackupPrivilege	3000	MSI39F7.tmp
Token: SeRestorePrivilege	3000	MSI39F7.tmp
Token: SeBackupPrivilege	3000	MSI39F7.tmp
Token: SeRestorePrivilege	3000	MSI39F7.tmp
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe
Token: SeTakeOwnershipPrivilege	924	msiexec.exe
Token: SeRestorePrivilege	924	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exemsiexec.exe

pid process

2136 msiexec.exe
2136 msiexec.exe
3868 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jp2launcher.exe

pid process

4688 jp2launcher.exe

pid	process
2136	msiexec.exe
2136	msiexec.exe
3868	msiexec.exe

pid	process
4688	jp2launcher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.execmd.execmd.execmd.execmd.exenet.execmd.execmd.exemsiexec.exeMSI39F7.tmpjavaws.exejaureg.exevcredist_x86.exe

description	pid	process	target process
PID 2508 wrote to memory of 3660	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 3660	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 3660	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 3660 wrote to memory of 396	3660	cmd.exe	schtasks.exe
PID 3660 wrote to memory of 396	3660	cmd.exe	schtasks.exe
PID 3660 wrote to memory of 396	3660	cmd.exe	schtasks.exe
PID 2508 wrote to memory of 4504	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4504	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4504	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 4504 wrote to memory of 4436	4504	cmd.exe	schtasks.exe
PID 4504 wrote to memory of 4436	4504	cmd.exe	schtasks.exe
PID 4504 wrote to memory of 4436	4504	cmd.exe	schtasks.exe
PID 2508 wrote to memory of 4372	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4372	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4372	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 4372 wrote to memory of 4808	4372	cmd.exe	schtasks.exe
PID 4372 wrote to memory of 4808	4372	cmd.exe	schtasks.exe
PID 4372 wrote to memory of 4808	4372	cmd.exe	schtasks.exe
PID 2508 wrote to memory of 4852	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4852	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 4852	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 4852 wrote to memory of 3880	4852	cmd.exe	net.exe
PID 4852 wrote to memory of 3880	4852	cmd.exe	net.exe
PID 4852 wrote to memory of 3880	4852	cmd.exe	net.exe
PID 3880 wrote to memory of 5048	3880	net.exe	net1.exe
PID 3880 wrote to memory of 5048	3880	net.exe	net1.exe
PID 3880 wrote to memory of 5048	3880	net.exe	net1.exe
PID 2508 wrote to memory of 1540	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 1540	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 1540	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 1540 wrote to memory of 4068	1540	cmd.exe	sc.exe
PID 1540 wrote to memory of 4068	1540	cmd.exe	sc.exe
PID 1540 wrote to memory of 4068	1540	cmd.exe	sc.exe
PID 2508 wrote to memory of 5004	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 5004	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 2508 wrote to memory of 5004	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	cmd.exe
PID 5004 wrote to memory of 224	5004	cmd.exe	msiexec.exe
PID 5004 wrote to memory of 224	5004	cmd.exe	msiexec.exe
PID 5004 wrote to memory of 224	5004	cmd.exe	msiexec.exe
PID 924 wrote to memory of 3000	924	msiexec.exe	MSI39F7.tmp
PID 924 wrote to memory of 3000	924	msiexec.exe	MSI39F7.tmp
PID 3000 wrote to memory of 2956	3000	MSI39F7.tmp	javaws.exe
PID 3000 wrote to memory of 2956	3000	MSI39F7.tmp	javaws.exe
PID 2956 wrote to memory of 4688	2956	javaws.exe	jp2launcher.exe
PID 2956 wrote to memory of 4688	2956	javaws.exe	jp2launcher.exe
PID 3000 wrote to memory of 1652	3000	MSI39F7.tmp	jaureg.exe
PID 3000 wrote to memory of 1652	3000	MSI39F7.tmp	jaureg.exe
PID 3000 wrote to memory of 1652	3000	MSI39F7.tmp	jaureg.exe
PID 1652 wrote to memory of 3508	1652	jaureg.exe	msiexec.exe
PID 1652 wrote to memory of 3508	1652	jaureg.exe	msiexec.exe
PID 1652 wrote to memory of 3508	1652	jaureg.exe	msiexec.exe
PID 924 wrote to memory of 2448	924	msiexec.exe	MsiExec.exe
PID 924 wrote to memory of 2448	924	msiexec.exe	MsiExec.exe
PID 924 wrote to memory of 2448	924	msiexec.exe	MsiExec.exe
PID 924 wrote to memory of 536	924	msiexec.exe	MsiExec.exe
PID 924 wrote to memory of 536	924	msiexec.exe	MsiExec.exe
PID 924 wrote to memory of 536	924	msiexec.exe	MsiExec.exe
PID 2508 wrote to memory of 2460	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	vcredist_x86.exe
PID 2508 wrote to memory of 2460	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	vcredist_x86.exe
PID 2508 wrote to memory of 2460	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	vcredist_x86.exe
PID 2460 wrote to memory of 2836	2460	vcredist_x86.exe	vcredist_x86.exe
PID 2460 wrote to memory of 2836	2460	vcredist_x86.exe	vcredist_x86.exe
PID 2460 wrote to memory of 2836	2460	vcredist_x86.exe	vcredist_x86.exe
PID 2508 wrote to memory of 312	2508	cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe	VC_redist.x64.exe

C:\Users\Admin\AppData\Local\Temp\cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe
"C:\Users\Admin\AppData\Local\Temp\cac8c6cbc58a95d3e27743932d9c2f736f5c272c0370a7c5f5784aefe557cbe5.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c SCHTASKS /Delete /TN "Adobe Flash Player PPAPI Notifier" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Adobe Flash Player PPAPI Notifier" /F
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c SCHTASKS /Delete /TN "Adobe Flash Player NPAPI Notifier" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Adobe Flash Player NPAPI Notifier" /F
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c SCHTASKS /Delete /TN "Adobe Flash Player Updater" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Delete /TN "Adobe Flash Player Updater" /F
3⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c net stop AdobeFlashPlayerUpdateSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\net.exe
net stop AdobeFlashPlayerUpdateSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AdobeFlashPlayerUpdateSvc
4⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c sc delete AdobeFlashPlayerUpdateSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayerUpdateSvc
3⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c msiexec.exe /x {26A24AE4-039D-4CA4-87B4-2F86418066F0} /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x {26A24AE4-039D-4CA4-87B4-2F86418066F0} /quiet /norestart
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
"C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460

C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
"C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe" /uninstall /quiet /norestart -burn.unelevated BurnPipe.{E74F290D-8CB5-41B8-96D2-6E37B4ADE2FD} {AC25CC71-4CD1-4901-9EB5-A7764ED4CBEE} 2460
3⤵
- Loads dropped DLL
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 888
4⤵
- Program crash
PID:5072

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" /uninstall /quiet /norestart
2⤵
PID:312

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 /uninstall /quiet /norestart
3⤵
- Loads dropped DLL
PID:1588

C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B01C7798-0508-4FE8-BF9C-860EFE6ECDEF} {CDA48ACF-A433-412C-BA00-BDE6ECA0A2C5} 1588
4⤵
- Adds Run key to start application
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 968
4⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c msiexec.exe /x "{7DAD0258-515C-3DD4-8964-BD714199E0F7}" /qb
2⤵
PID:1936

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x "{7DAD0258-515C-3DD4-8964-BD714199E0F7}" /qb
3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c msiexec.exe /x "{B175520C-86A2-35A7-8619-86DC379688B9}" /qb
2⤵
PID:3544

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /x "{B175520C-86A2-35A7-8619-86DC379688B9}" /qb
3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3868

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\Installer\MSI39F7.tmp
"C:\Windows\Installer\MSI39F7.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" /x {4A03706F-666A-4037-7777-5F2748764D10} /qn
4⤵
PID:3508

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 17347C96187EC1BD768CDD846714FAC2
2⤵
- Loads dropped DLL
PID:2448

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AB64A00927CCF56A572DBF850DCB81E2 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:536

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 749B46B029C9149CAA92B92D6BE1B608
2⤵
- Loads dropped DLL
PID:3400

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8683CA8CC52DF082CEDE36DE67F96DA6
2⤵
- Loads dropped DLL
PID:488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3504

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2836 -ip 2836
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1588 -ip 1588
1⤵
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI96538.LOG
Filesize
2KB

MD5
60b7d8133dd1c84571b0bb75bd8d2a6c

SHA1
34211abffbdcff553e190708a22ebfce0b06f480

SHA256
8545db1f30a321b503474c73c8991c97da0ddd504ca58ca0c2d5eef9691a1edb

SHA512
92276a3ac05e9f3d5f096d8772c03d20285f58d41ec73c4c651b19e5b5d52a6dae21c002870a5f3d38d1fb56dd5a0aaf2e0e5e66e81b61618fcf274678d45e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI971bb.LOG
Filesize
2KB

MD5
0c568afa97a366fcd60ee7ccce52d38f

SHA1
87ccedce4e98717b87584cfbb807c1dbaf153c83

SHA256
a421c123e01e35368ff420be382b6cda3bebd8b1cba3a5fe0d256912c0edd509

SHA512
33e194efb15090bac608d46e4ae3749566c0488248f482f26539286b1aadd7f47ed8299f6ddd7879dc6603343c1e0c17b5a003017961391861c6068df0286a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20220427200043_000_vcRuntimeAdditional_x64.log
Filesize
1KB

MD5
dace662563ec2ae504cbaea9e841940a

SHA1
08edb96f5a137a5c07d52be61f82186e6ad3cc51

SHA256
c258548fc8b2ff83e01c126026c742a033ff5a2980d94d9a9af47e232e6e452d

SHA512
f2c588f7434b4c9fa82eeac5a8f40ccc91f40065ab7102a76dd6e435e5051453d0c8f05d49df9d385855f421e84cfef3b7148892faa8ba5996bde54b8025e5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
286KB

MD5
e90348dd8f9b29c301fd324be816c8b3

SHA1
ae868e5afba0a6a48c1033674005673d448fe415

SHA256
d8df05e564c9aa83d55a0dd59822d4cf70e55fe120bc110f74ee8731c7766a8b

SHA512
b4a4cf19e6ae7f6709dea4e6098db00e30f3d00c4aeff65a79a83487111376405cc1e03cc0a9545253847b1ac900911b4e94d53e82178790ca775f07f771f851

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
287KB

MD5
8f99e9e57ad75be42b23cbd5af3746b5

SHA1
3c48cb7c693d651513daaa1c8215b1ef9ecc85f3

SHA256
dad8977a5f91c18cb2dbaad02d0090e8b7dd6bcccbb23e5e3f34e95cc6cf0005

SHA512
11103325d1defece45df4b791ceb6471f65a3d23e0b0c71885fc30492151c5c4e5d6812dd0a0a1cb37301b1faf1b613a8d5172fd1581a0af97cfb73b00213d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll
Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
C:\Windows\Installer\MSI39F7.tmp
Filesize
979KB

MD5
36565c7aa5355f98e059fc031d28ef9c

SHA1
43e2a29f40a9efc2aa4056b946e2eac12d0bff11

SHA256
212b711d72c66dc47603bcee4cfe3e80fea84c818168341082fe7aa12552278c

SHA512
fa3452acdce4322c95eacdcdb5957c409cd1373c269908703c69b9a5a7d5fdb3ce36a4c214d95e1078eef164428c5fea322e183d394e212e24e66c4b2df72330

Download Submit
C:\Windows\Installer\MSI39F7.tmp
Filesize
979KB

MD5
36565c7aa5355f98e059fc031d28ef9c

SHA1
43e2a29f40a9efc2aa4056b946e2eac12d0bff11

SHA256
212b711d72c66dc47603bcee4cfe3e80fea84c818168341082fe7aa12552278c

SHA512
fa3452acdce4322c95eacdcdb5957c409cd1373c269908703c69b9a5a7d5fdb3ce36a4c214d95e1078eef164428c5fea322e183d394e212e24e66c4b2df72330

Download Submit
C:\Windows\Installer\MSI6781.tmp
Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\Windows\Installer\MSI6781.tmp
Filesize
68KB

MD5
54dde63178e5f043852e1c1b5cde0c4b

SHA1
a4b6b1d4e265bd2b2693fbd9e75a2fc35078e9bd

SHA256
f95a10c990529409e7abbc9b9ca64e87728dd75008161537d58117cbc0e80f9d

SHA512
995d33b9a1b4d25cd183925031cffa7a64e0a1bcd3eb65ae9b7e65e87033cd790be48cd927e6fa56e7c5e7e70f524dccc665beddb51c004101e3d4d9d7874b45

Download Submit
C:\Windows\Installer\MSI734B.tmp
Filesize
74KB

MD5
d557e10dd63535aae79b780fbf83961d

SHA1
67fdf4459fab259f61da7ddd342261243b916a94

SHA256
be2ead50c4cd94d33c7f1e7c00b47744cb4b4309dcb349236cdcd447265ecf4b

SHA512
ab7d5ec81a3e4367b51deac213da79f9b3a6f5be505f4900121b19bffee4366dabf9674753f6ea82e35a88080b85b1e0f2eca790630f879f850aa322e4068feb

Download Submit
C:\Windows\Installer\MSI734B.tmp
Filesize
74KB

MD5
d557e10dd63535aae79b780fbf83961d

SHA1
67fdf4459fab259f61da7ddd342261243b916a94

SHA256
be2ead50c4cd94d33c7f1e7c00b47744cb4b4309dcb349236cdcd447265ecf4b

SHA512
ab7d5ec81a3e4367b51deac213da79f9b3a6f5be505f4900121b19bffee4366dabf9674753f6ea82e35a88080b85b1e0f2eca790630f879f850aa322e4068feb

Download Submit
C:\Windows\Installer\MSI9FB8.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSI9FB8.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSIA24A.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSIA24A.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSIA2E7.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Installer\MSIA2E7.tmp
Filesize
198KB

MD5
c7018628101e1bb69437b4ab2f6b7465

SHA1
e185b2a7685490f74e11e794bf8e54bd9b21e295

SHA256
8c33499755edda822c1ed58354f0353134707f143ea0290758510781e515c8d8

SHA512
374f90ca6ae78e784967f314715cd282ea49332de1c1a59b3ed27389799f84eaae8ed9950a0b67ccc383c1ff872984114c2d43538cc39b50e9646e958dbf95f4

Download Submit
C:\Windows\Temp\{1766F71A-98D9-4FAD-A8CD-A837B5E9E20C}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/312-176-0x0000000000000000-mapping.dmp

Download
memory/396-131-0x0000000000000000-mapping.dmp

Download
memory/488-190-0x0000000000000000-mapping.dmp

Download
memory/536-167-0x0000000000000000-mapping.dmp

Download
memory/1540-139-0x0000000000000000-mapping.dmp

Download
memory/1588-177-0x0000000000000000-mapping.dmp

Download
memory/1652-161-0x0000000000000000-mapping.dmp

Download
memory/1936-181-0x0000000000000000-mapping.dmp

Download
memory/2124-179-0x0000000000000000-mapping.dmp

Download
memory/2136-182-0x0000000000000000-mapping.dmp

Download
memory/2448-164-0x0000000000000000-mapping.dmp

Download
memory/2460-173-0x0000000000000000-mapping.dmp

Download
memory/2836-174-0x0000000000000000-mapping.dmp

Download
memory/2956-146-0x0000000000000000-mapping.dmp

Download
memory/3000-143-0x0000000000000000-mapping.dmp

Download
memory/3400-184-0x0000000000000000-mapping.dmp

Download
memory/3508-163-0x0000000000000000-mapping.dmp

Download
memory/3544-187-0x0000000000000000-mapping.dmp

Download
memory/3660-130-0x0000000000000000-mapping.dmp

Download
memory/3868-188-0x0000000000000000-mapping.dmp

Download
memory/3880-137-0x0000000000000000-mapping.dmp

Download
memory/4068-140-0x0000000000000000-mapping.dmp

Download
memory/4372-134-0x0000000000000000-mapping.dmp

Download
memory/4436-133-0x0000000000000000-mapping.dmp

Download
memory/4504-132-0x0000000000000000-mapping.dmp

Download
memory/4688-147-0x0000000000000000-mapping.dmp

Download
memory/4688-152-0x00000000055D0000-0x00000000065D0000-memory.dmp

Filesize
16.0MB

Download
memory/4808-135-0x0000000000000000-mapping.dmp

Download
memory/4852-136-0x0000000000000000-mapping.dmp

Download
memory/5004-141-0x0000000000000000-mapping.dmp

Download
memory/5048-138-0x0000000000000000-mapping.dmp

Download