d351106bbe871f6521ac3baf3c4e52da77b747770a428626473a9d3e2d8d03bf

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe\""	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

MSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXEmsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE

Installs/modifies Browser Helper Object 2 TTPs 12 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

MSI16EA.tmpinstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\NoExplorer = "1"	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9}	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\NoExplorer = "1"	MSI16EA.tmp

Drops file in System32 directory 3 IoCs

Processes:

installer.exeMSI16EA.tmp

description	ioc	process
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	installer.exe
File created	C:\Windows\system32\WindowsAccessBridge-64.dll	MSI16EA.tmp
File opened for modification	C:\Windows\system32\WindowsAccessBridge-64.dll	MSI16EA.tmp

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File created	C:\Program Files\Expert Microsystems\SureSense_Server\css\Report.css	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.unsupported.desktop\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\keytool.exe	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\jmods\java.se.jmod	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\java.desktop\jpeg.md	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.localedata\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Server\libs\jna-platform-5.4.0.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\jp2launcher.exe	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\ext\cldrdata.jar	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.sctp\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\jdeprscan.exe	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\java.desktop\ASSEMBLY_EXCEPTION	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\java.prefs\ASSEMBLY_EXCEPTION	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\api-ms-win-crt-math-l1-1-0.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\eula.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\meta-index	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\libs\slf4j-jdk14-1.7.30.jar	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.management.jfr\LICENSE	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.net\LICENSE	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\unpack.dll	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\jfxswt.jar	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\management\management.properties	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\StartWebServer.bat	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\WebView\assets\images\Reports.png	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\libs\commons-logging-1.2.jar	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Server\phmdefaults.zip	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\j2pkcs11.dll	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\localedata.jar	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.javadoc\jqueryUI.md	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\jli.dll	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\WebView\assets\help\Alarm.html	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\WebView\assets\help\images\ReportSettings.png	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\javajpeg.dll	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.dynalink\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense\libs\h2-1.4.196.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\fonts\LucidaBrightRegular.ttf	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\images\cursors\win32_CopyDrop32x32.gif	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\StartCrawler.bat	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\WebView\assets\help\images\editautorefresh.png	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\jlink.exe	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\jmods\jdk.editpad.jmod	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.jartool\LICENSE	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Server\smile.jar	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\jfr\default.jfc	installer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\include\win32\jni_md.h	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.jcmd\LICENSE	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense\libs\sqljdbc_auth.dll	msiexec.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\fontconfig.properties.src	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\lib\security\blacklist	installer.exe
File created	C:\Program Files\Java\jre1.8.0_201\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	installer.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\java.base\asm.md	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.internal.vm.ci\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Server\ConfigureProjectLockTimeout.bat	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\jdk.management.agent\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\bin\java.exe	msiexec.exe
File created	C:\Program Files\Expert Microsystems\SureSense_Web\JDK\legal\java.base\zlib.md	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{8C916C33-A6F6-4258-999E-0974E486B407}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{1EA2DBCC-67AB-4ADD-B46D-87F33EC3D7E8}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31E4.tmp	msiexec.exe
File created	C:\Windows\Installer\e5afea7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5aff75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB379.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID23F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5afe98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5afe98.msi	msiexec.exe
File created	C:\Windows\Installer\e5afe9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA8F.tmp	msiexec.exe
File created	C:\Windows\Installer\{6FA6D6CD-E64C-4889-8EC6-BD77F5E77FC5}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18FA.tmp	msiexec.exe
File created	C:\Windows\Installer\{4ACF4FAF-24C8-4D00-8586-A3CCA55D9EC8}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e5afe9a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC765.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5aff71.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4A03706F-666A-4037-7777-5F2748764D10}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE0.tmp	msiexec.exe
File created	C:\Windows\Installer\e5afe97.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB3C8.tmp	msiexec.exe
File created	C:\Windows\Installer\e5aff75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC447.tmp	msiexec.exe
File created	C:\Windows\Installer\e5afea0.msi	msiexec.exe
File created	C:\Windows\Installer\{1EA2DBCC-67AB-4ADD-B46D-87F33EC3D7E8}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2553.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5afe9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0A9.tmp	msiexec.exe
File created	C:\Windows\Installer\e5afe95.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC66.tmp	msiexec.exe
File created	C:\Windows\Installer\{8C916C33-A6F6-4258-999E-0974E486B407}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A78.tmp	msiexec.exe
File created	C:\Windows\Installer\e5aff77.msi	msiexec.exe
File created	C:\Windows\Installer\e5aff74.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5afe95.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5afea1.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{26A24AE4-039D-4CA4-87B4-2F64180201F0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BA0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6FA6D6CD-E64C-4889-8EC6-BD77F5E77FC5}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8C916C33-A6F6-4258-999E-0974E486B407}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4ACF4FAF-24C8-4D00-8586-A3CCA55D9EC8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFC3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{4ACF4FAF-24C8-4D00-8586-A3CCA55D9EC8}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e5afea1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5afea4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI339A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C69.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

Processes:

installer.exeMSI16EA.tmp

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName = "javaws.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\Policy = "3"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\Policy = "3"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppName = "ssvagent.exe"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\Compatibility Flags = "1024"	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath = "C:\\Program Files\\Java\\jre1.8.0_201\\bin"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4b5f-9EE6-34795C46E7E7}\AppName = "jp2launcher.exe"	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	MSI16EA.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "0"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\AlternateCLSID = "{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	MSI16EA.tmp

Modifies data under HKEY_USERS 64 IoCs

Processes:

installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\ = "Java Plug-in 1.6.0_32"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0150-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\ = "Java Plug-in 1.7.0_72"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0157-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0096-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0104-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0163-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0026-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0022-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0117-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0133-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0109-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_109"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0142-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_02"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBC}\ = "Java Plug-in 1.7.0_90"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\JavaPlugin.11662	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0046-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0050-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBC}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0015-0000-0087-ABCDEFFEDCBB}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0135-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0130-ABCDEFFEDCBB}	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0124-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0127-ABCDEFFEDCBC}\InprocServer32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0083-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0045-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0153-ABCDEFFEDCBB}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_30"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0049-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0191-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0191-ABCDEFFEDCBB}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0165-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_43"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0062-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0193-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0054-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0014-0002-0088-ABCDEFFEDCBA}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBC}\ = "Java Plug-in 1.6.0_08"	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0004-ABCDEFFEDCBB}	installer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0018-0000-0056-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0136-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0016-0000-0172-ABCDEFFEDCBC}	installer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBA}\INPROCSERVER32	installer.exe

Modifies registry class 64 IoCs

Processes:

ssvagent.exeMSI16EA.tmpmsiexec.exeinstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\SourceList\PackageName = "au.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0141-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBA}\INPROCSERVER32	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBA}\InprocServer32	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0154-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0131-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_131"	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBC}\ = "Java Plug-in 1.8.0_82"	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBA}\ = "Java Plug-in 1.8.0_126"	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B941787E790DB8A4CA8D626215246015	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0146-ABCDEFFEDCBA}	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0160-ABCDEFFEDCBA}	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0156-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBB}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	ssvagent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBB}	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0102-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0203-ABCDEFFEDCBA}	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0186-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_186"	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBA}\InprocServer32	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0164-ABCDEFFEDCBC}	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0085-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0131-ABCDEFFEDCBA}\INPROCSERVER32	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0188-ABCDEFFEDCBA}	MSI16EA.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0070-ABCDEFFEDCBB}\ = "Java Plug-in 1.3.1_70"	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0195-ABCDEFFEDCBA}\InprocServer32	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBA}\InprocServer32	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBB}\INPROCSERVER32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MSI16EA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0145-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBC}\INPROCSERVER32	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0167-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0069-ABCDEFFEDCBA}\INPROCSERVER32	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0103-ABCDEFFEDCBA}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0177-ABCDEFFEDCBC}	MSI16EA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}	ssvagent.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0035-ABCDEFFEDCBA}\InprocServer32	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0074-ABCDEFFEDCBC}	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\ = "Java Plug-in 1.4.2_36"	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}	ssvagent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0064-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0097-ABCDEFFEDCBB}\INPROCSERVER32	MSI16EA.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0112-ABCDEFFEDCBA}\InprocServer32	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0169-ABCDEFFEDCBC}\InprocServer32	installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\jp2iexp.dll"	ssvagent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_17"	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0082-ABCDEFFEDCBA}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0179-ABCDEFFEDCBC}	MSI16EA.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}	installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0084-ABCDEFFEDCBA}	ssvagent.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBB}\INPROCSERVER32	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}	MSI16EA.tmp
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}	MSI16EA.tmp

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msiexec.exejavaws.exejp2launcher.exejavaws.exejp2launcher.exeMSI16EA.tmpjp2launcher.exe

pid	process
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
4124	javaws.exe
4124	javaws.exe
4784	jp2launcher.exe
4784	jp2launcher.exe
3216	javaws.exe
3216	javaws.exe
2184	jp2launcher.exe
2184	jp2launcher.exe
4820	MSI16EA.tmp
4820	MSI16EA.tmp
2124	jp2launcher.exe
2124	jp2launcher.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe
3600	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeMSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeRestorePrivilege	1216	7zG.exe
Token: 35	1216	7zG.exe
Token: SeSecurityPrivilege	1216	7zG.exe
Token: SeSecurityPrivilege	1216	7zG.exe
Token: SeShutdownPrivilege	4716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4716	MSIEXEC.EXE
Token: SeSecurityPrivilege	3600	msiexec.exe
Token: SeCreateTokenPrivilege	4716	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4716	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4716	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4716	MSIEXEC.EXE
Token: SeTcbPrivilege	4716	MSIEXEC.EXE
Token: SeSecurityPrivilege	4716	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4716	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4716	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4716	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4716	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4716	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4716	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4716	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4716	MSIEXEC.EXE
Token: SeBackupPrivilege	4716	MSIEXEC.EXE
Token: SeRestorePrivilege	4716	MSIEXEC.EXE
Token: SeShutdownPrivilege	4716	MSIEXEC.EXE
Token: SeDebugPrivilege	4716	MSIEXEC.EXE
Token: SeAuditPrivilege	4716	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4716	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4716	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4716	MSIEXEC.EXE
Token: SeUndockPrivilege	4716	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4716	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4716	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4716	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4716	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4716	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4716	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4716	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4716	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4716	MSIEXEC.EXE
Token: SeTcbPrivilege	4716	MSIEXEC.EXE
Token: SeSecurityPrivilege	4716	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4716	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4716	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4716	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4716	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4716	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4716	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4716	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4716	MSIEXEC.EXE
Token: SeBackupPrivilege	4716	MSIEXEC.EXE
Token: SeRestorePrivilege	4716	MSIEXEC.EXE
Token: SeShutdownPrivilege	4716	MSIEXEC.EXE
Token: SeDebugPrivilege	4716	MSIEXEC.EXE
Token: SeAuditPrivilege	4716	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4716	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4716	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4716	MSIEXEC.EXE
Token: SeUndockPrivilege	4716	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4716	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4716	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4716	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4716	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

7zG.exeMSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXEMSIEXEC.EXE

pid	process
1216	7zG.exe
4716	MSIEXEC.EXE
4716	MSIEXEC.EXE
4544	MSIEXEC.EXE
4544	MSIEXEC.EXE
1320	MSIEXEC.EXE
1320	MSIEXEC.EXE
3716	MSIEXEC.EXE
3716	MSIEXEC.EXE
2224	MSIEXEC.EXE
2224	MSIEXEC.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

SureSense_Studio.exeActiveDirectoryToolbox.exeSureSense_Server.exeActiveDirectoryToolbox.exejre-8u201-windows-x64.exejre-8u201-windows-x64.exejp2launcher.exejp2launcher.exejp2launcher.exeSureSenseWeb.exe

pid	process
876	SureSense_Studio.exe
3372	ActiveDirectoryToolbox.exe
4216	SureSense_Server.exe
4148	ActiveDirectoryToolbox.exe
3104	jre-8u201-windows-x64.exe
3104	jre-8u201-windows-x64.exe
3104	jre-8u201-windows-x64.exe
540	jre-8u201-windows-x64.exe
3104	jre-8u201-windows-x64.exe
3104	jre-8u201-windows-x64.exe
4784	jp2launcher.exe
2184	jp2launcher.exe
2124	jp2launcher.exe
4956	SureSenseWeb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SureSense_Studio.exemsiexec.exeMsiExec.exeMsiExec.exe

description	pid	process	target process
PID 876 wrote to memory of 4716	876	SureSense_Studio.exe	MSIEXEC.EXE
PID 876 wrote to memory of 4716	876	SureSense_Studio.exe	MSIEXEC.EXE
PID 3600 wrote to memory of 4628	3600	msiexec.exe	MsiExec.exe
PID 3600 wrote to memory of 4628	3600	msiexec.exe	MsiExec.exe
PID 3600 wrote to memory of 4628	3600	msiexec.exe	MsiExec.exe
PID 4628 wrote to memory of 5076	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 5076	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4836	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4836	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2256	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2256	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4152	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4152	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4128	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4128	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4776	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4776	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3592	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3592	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4420	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4420	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 952	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 952	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4692	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4692	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2612	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2612	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 5056	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 5056	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2600	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2600	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1992	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1992	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3432	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3432	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 792	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 792	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4020	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 4020	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1332	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1332	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2984	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 2984	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 796	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 796	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3800	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 3800	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1164	4628	MsiExec.exe	ISBEW64.exe
PID 4628 wrote to memory of 1164	4628	MsiExec.exe	ISBEW64.exe
PID 3600 wrote to memory of 4036	3600	msiexec.exe	srtasks.exe
PID 3600 wrote to memory of 4036	3600	msiexec.exe	srtasks.exe
PID 3600 wrote to memory of 984	3600	msiexec.exe	MsiExec.exe
PID 3600 wrote to memory of 984	3600	msiexec.exe	MsiExec.exe
PID 3600 wrote to memory of 984	3600	msiexec.exe	MsiExec.exe
PID 984 wrote to memory of 1296	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 1296	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 5076	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 5076	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 4836	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 4836	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 3616	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 3616	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 4344	984	MsiExec.exe	ISBEW64.exe
PID 984 wrote to memory of 4344	984	MsiExec.exe	ISBEW64.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\SureSense 6.2.0.61 Installers.zip"
1⤵
PID:2200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2652

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\" -spe -an -ai#7zMap6989:116:7zEvent16953
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio\SureSense_Studio.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio\SureSense_Studio.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{40A42F7A-F90D-44E0-B8A7-518598CD81B5}\SureSense Studio.msi" SETUPEXEDIR="C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio" SETUPEXENAME="SureSense_Studio.exe"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FD8B61FAA84D0ECAE1E8702488CF9A61 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6DBFA049-F7A6-458E-8411-3D04487EE3A8}
3⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B6F2EF9B-E690-4C91-ABFE-2D2A768F4B2B}
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD00BC21-44F4-4A72-B2AA-795ED1668ECF}
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA1D71A6-22B0-42D5-8ED6-FFBF0D45597D}
3⤵
- Executes dropped EXE
PID:4152

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF014E9F-F1E4-4428-8BCA-F90166F2BE66}
3⤵
- Executes dropped EXE
PID:4128

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C3028D55-1D67-4024-A963-A7018AAE50F5}
3⤵
- Executes dropped EXE
PID:4776

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB287D08-D8A5-476F-8347-4D912A388C38}
3⤵
- Executes dropped EXE
PID:3592

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DD07F349-0679-43A3-BEEB-C8680557D2D5}
3⤵
- Executes dropped EXE
PID:4420

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E002D22F-D490-4B1A-B705-49A72D7DD115}
3⤵
- Executes dropped EXE
PID:952

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8EA59309-909B-41B6-99AF-20BCE03A42B8}
3⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{635F41B7-60AC-4FC9-9EB7-1ACD5F2E813C}
3⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F4EFA30B-2516-4FDE-840D-8F07314B41FB}
3⤵
- Executes dropped EXE
PID:5056

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AFEC302-DEAD-4D2D-A6F6-551A4EC47A8A}
3⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A81CBC10-E05C-45AA-B8BC-569FEC7CB6BB}
3⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37047B30-5A10-4B70-B13E-193E3ED26FEA}
3⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{188E21BE-1713-4FF8-A742-E9F611D5DD09}
3⤵
- Executes dropped EXE
PID:792

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63B063EE-E98E-4B05-B7B3-711999B9A719}
3⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E19E0725-4F1B-4685-A3A3-0A4A3A5F6553}
3⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9D893C06-F6B1-4C23-8866-684B4FBD5898}
3⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDFE5AC0-0788-47F9-8B11-82C490A5738B}
3⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{88E509E8-163D-4063-A619-96DA53E3BAD0}
3⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B5BE770-4F2A-494D-8CC8-43AA68B9CD9F}
3⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4036

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F2850536AC17112BD34AD15F4CD22DDF
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47DF34B1-5F0D-42EF-81A1-2CBC617195CA}
3⤵
- Executes dropped EXE
PID:1296

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8ED50A8C-C8B9-4DEB-8316-AD39892B79F7}
3⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C9A40A5-0CCD-4E24-92FF-BFA5940D80B3}
3⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EDB1F95-679D-4C16-B0FF-0B4126DB20FB}
3⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{114A701C-329E-46CE-A8E5-FA1F469098AA}
3⤵
- Executes dropped EXE
PID:4344

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2EFFA28C-388C-416E-B354-5B9238B9A5D8}
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6A268400-ADA1-40B3-A092-7C28F741E151}
3⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0B4093F-5EEA-4F07-9C51-B145F59D54D4}
3⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50ABE4A3-9CD8-448E-9E53-87CC6BC3F043}
3⤵
- Executes dropped EXE
PID:4420

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C8928B0-B8F6-4BB1-A3CF-45A1DFF7CD20}
3⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E7BD364-A268-422F-98D7-61105D3B9104}
3⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5081C973-CF38-4019-87E0-87A3D8E935AA}
3⤵
- Executes dropped EXE
PID:2612

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1540D6B8-B80B-4EF5-9B84-1174DFE7C1A5}
3⤵
- Executes dropped EXE
PID:3488

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{695B8DD7-D0B9-4899-B0A3-EABF26F5E16D}
3⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9054728C-A5A9-465D-9366-8664A0518D0D}
3⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98A702C0-0DD0-4647-B94F-0F0B23CD0B02}
3⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA5F3B11-AF35-4085-BFB5-CB8152DA6575}
3⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1F10D35-AB30-4F70-8D4A-A25F462F15D3}
3⤵
- Executes dropped EXE
PID:1248

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C163D00-253E-4911-B10B-2A1774619FF1}
3⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62BF38B5-7F84-4CE6-9B80-CF2845F5D6AE}
3⤵
- Executes dropped EXE
PID:3500

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF3FC666-5AF7-4EEE-95B0-27DCF3C02219}
3⤵
- Executes dropped EXE
PID:1320

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E92E6364-E3C3-42CC-85F1-D70CDCC19929}
3⤵
- Executes dropped EXE
PID:2788

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EA544CE81C7E78206B8A909CC03676C8 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:1120

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{805E79E8-D2EB-4423-A8EB-36D15DF54AA5}
3⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{102097EA-53EA-430E-A2E3-6111A5B27E62}
3⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{140C1091-513E-4232-810B-92B0635B60B8}
3⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC66CA60-AEF7-49E1-A9E0-C40CF09AC8BF}
3⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C27B9CA0-773F-4EA0-93D8-BEE763D8C4A9}
3⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{36491CC3-9E7A-45D8-A598-678D6DE9B480}
3⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94F91C59-8CAB-4178-A804-DACE3508555F}
3⤵
- Executes dropped EXE
PID:736

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C8BC20FB-C6DC-4E21-8475-0B7BB9DC00B6}
3⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E1DA9C35-53D9-46DF-A28F-60BDAEB84F13}
3⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2A73C7B6-3FA9-4657-A69D-510E4FA24306}
3⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{68F62C45-3630-4B58-B2DF-A5225E78CD17}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A5AF9023-4CFC-48E6-A780-D58019C252D4}
3⤵
- Executes dropped EXE
PID:1640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 802289EB268D775824644BFA95DE3A10 C
2⤵
- Loads dropped DLL
PID:3968

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6802A1BF-466A-490C-B00A-BA2E9BB79CAC}
3⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D75F749-599C-415F-9AEF-98F95602B915}
3⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91474C5A-F8E1-46A6-BCDE-C27FEC71DEB4}
3⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FFA8739-CCBB-47D0-AAAD-A2CE6C0D6D08}
3⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B002C14-69E4-4CC1-B89E-D9D5A331B8DD}
3⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8708EC75-3528-422D-BF24-0C455127FCD3}
3⤵
- Executes dropped EXE
PID:3128

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{085CEB1D-66CF-4E0F-9617-8A22F8E97B8B}
3⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA87C66D-F1B1-43A2-B908-2E60E38A7A65}
3⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBDDBFD1-BEEB-480D-9CF6-831608F30F2E}
3⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CFE4473-0881-4155-82D9-ABB7DB4B78EB}
3⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D04B1FFD-6E06-4C90-8DD3-5781138D6690}
3⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CF64388E-112E-4F43-94E6-E3D82C4453DC}
3⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E62351C5-92C2-4305-9F7C-2C85DC532B87}
3⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAF21589-37A2-4801-8E2C-C633FCB2328D}
3⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E25C060-94FA-4634-B361-F27501BAD6A4}
3⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C089A2F-8FC2-4137-9B14-295583B6D608}
3⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{31EF357E-CBCB-4772-A70F-7621E8BF526B}
3⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14AA548F-7031-4593-88E6-15EE05CD94B7}
3⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9EA8BB9F-F98A-4996-9744-BFB73CB5210F}
3⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{71E14529-9AFE-41CC-9EAD-E42902719D0F}
3⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F3A8DBC-4990-4496-9D60-9D401DDE7112}
3⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50FB5BA2-3E13-4257-9C29-96A79D70FBCA}
3⤵
PID:2476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 616D168239EE950415AF5C0A4ADD3BFC
2⤵
- Loads dropped DLL
PID:4428

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2876ED1C-DFAE-4BD4-AF32-604D35F35306}
3⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BA99BE9-F1EA-4029-BB99-EC57A728DC1A}
3⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AEAE5AB-E2EA-438F-88AD-8F9A95968847}
3⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D135D5E-8AFD-4C69-9D2A-D7425CD4C28A}
3⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{972C2C23-CA02-4A05-BCEC-FA428CC03CEB}
3⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{662909A9-E12F-4236-BE9F-CA7A9B9DBC9F}
3⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E75DAB4C-96DD-472F-933E-3D8379058EC8}
3⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54515BCB-9811-4A71-A233-B2CE3C4982C1}
3⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58A1EBA7-B85E-4AF1-ADCE-0D5FD6002908}
3⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{319027FF-F0BB-42CB-A6BF-2AB5E11DE5D6}
3⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BF2B6FB4-86FA-4DBD-8760-F54787C06CD6}
3⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13A9D8A7-E54E-4C87-A37C-8359A2A3E1C3}
3⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CB6088E8-6321-40FD-84E6-B14D4EF04043}
3⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC891C6A-440B-495F-A74A-763D2B6989AC}
3⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4405C535-9656-4A27-8868-EDAB119D3ACA}
3⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9ABE70BA-A68E-4970-83AC-F5B382F54387}
3⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{121B069B-50FA-47CC-B42B-47EC57A2DA2F}
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CDDC778-3478-42F8-ACF4-390B709CF87D}
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96F9172E-D1B3-489D-9F7C-767E4E669F04}
3⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C968ABF4-4A41-422B-9FF4-09CE52F490CF}
3⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CEDAC693-202A-4ABD-A33A-BD94660280C1}
3⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{53E064DB-60FA-47CC-BB45-06CD72DEE606}
3⤵
PID:3372

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 13C7354D8873C70D62EF441E7463E07C E Global\MSI0000
2⤵
- Loads dropped DLL
PID:3480

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E369DFAB-5713-4C36-A9F0-C08B7960C5B2}
3⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FFDA9938-FF48-49DA-BAF9-944BB4E0B47C}
3⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1A47387-DB88-4EE7-A854-11FA3803CBD7}
3⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{88A5801E-DD75-48D7-B2A8-B5EA829C1F1F}
3⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BCC477D8-7F51-4BC2-B051-7708198A8778}
3⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D717F83A-F33D-460C-A76B-26A0CD2A8AE4}
3⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F7863C9-F128-46BD-8810-B1E5B8540E0C}
3⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA22814C-2932-4A63-86ED-9F7EB0264F57}
3⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E10487F2-F61C-49C2-B6E2-E79EBEE5040B}
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C904F152-44A2-4C04-87E2-0851BB9A02F0}
3⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{07FF17C9-2DC6-4382-8374-3E01983FEE1B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A6FEF97-BC56-4B0A-A451-4E740516161F}
3⤵
PID:608

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 61710CA50771A2B7E639CC496750D9A3
2⤵
- Loads dropped DLL
PID:2324

C:\Program Files\Java\jre1.8.0_201\installer.exe
"C:\Program Files\Java\jre1.8.0_201\installer.exe" /s INSTALLDIR="C:\Program Files\Java\jre1.8.0_201\\" INSTALL_SILENT=1 REPAIRMODE=0 ProductCode={26A24AE4-039D-4CA4-87B4-2F64180201F0}
2⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2960

C:\ProgramData\Oracle\Java\installcache_x64\241187812.tmp\bspatch.exe
"bspatch.exe" baseimagefam8 newimage diff
3⤵
PID:1524

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/plugin.pack" "C:\Program Files\Java\jre1.8.0_201\lib/plugin.jar"
3⤵
- Loads dropped DLL
PID:2784

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/javaws.pack" "C:\Program Files\Java\jre1.8.0_201\lib/javaws.jar"
3⤵
PID:1824

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/deploy.pack" "C:\Program Files\Java\jre1.8.0_201\lib/deploy.jar"
3⤵
PID:820

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/rt.pack" "C:\Program Files\Java\jre1.8.0_201\lib/rt.jar"
3⤵
PID:4744

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/jsse.pack" "C:\Program Files\Java\jre1.8.0_201\lib/jsse.jar"
3⤵
PID:3796

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/charsets.pack" "C:\Program Files\Java\jre1.8.0_201\lib/charsets.jar"
3⤵
PID:3396

C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe
"C:\Program Files\Java\jre1.8.0_201\bin\unpack200.exe" -r "C:\Program Files\Java\jre1.8.0_201\lib/ext/localedata.pack" "C:\Program Files\Java\jre1.8.0_201\lib/ext/localedata.jar"
3⤵
PID:5032

C:\Program Files\Java\jre1.8.0_201\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_201\bin\javaw.exe" -Xshare:dump -Djdk.disableLastUsageTracking
3⤵
PID:4568

C:\Program Files\Java\jre1.8.0_201\bin\ssvagent.exe
"C:\Program Files\Java\jre1.8.0_201\bin\ssvagent.exe" -doHKCUSSVSetup
3⤵
- Registers COM server for autorun
- Modifies registry class
PID:2364

C:\Program Files\Java\jre1.8.0_201\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_201\bin\javaws.exe" -wait -fix -permissions -silent
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124

C:\Program Files\Java\jre1.8.0_201\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_201\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_201" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzIwMVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yMDFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzIwMVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtcGVybWlzc2lvbnMALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Program Files\Java\jre1.8.0_201\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_201\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Program Files\Java\jre1.8.0_201\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_201\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_201" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxkZXBsb3kuamFyAC1EamF2YS5zZWN1cml0eS5wb2xpY3k9ZmlsZTpDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxzZWN1cml0eVxqYXZhd3MucG9saWN5AC1EdHJ1c3RQcm94eT10cnVlAC1YdmVyaWZ5OnJlbW90ZQAtRGpubHB4LmhvbWU9QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzIwMVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF8yMDFcbGliXGphdmF3cy5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzIwMVxsaWJcZGVwbG95LmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfMjAxXGJpblxqYXZhdy5leGU= -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 60B81DE502182488DEB72931AF218663 E Global\MSI0000
2⤵
PID:4244

C:\Windows\Installer\MSI16EA.tmp
"C:\Windows\Installer\MSI16EA.tmp" ProductCode={26A24AE4-039D-4CA4-87B4-2F86418066F0} /s
2⤵
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -wait -fix -shortcut -silent
3⤵
PID:260

C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
"C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamF2YS5hd3QuaGVhZGxlc3M9dHJ1ZQAtRGpubHB4Lmp2bT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcYmluXGphdmF3LmV4ZQ== -ma LXdhaXQALWZpeAAtc2hvcnRjdXQALXNpbGVudAAtbm90V2ViSmF2YQ==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
3⤵
PID:3788

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BB36063780FD2BC8058C803E3897EF42
2⤵
PID:5020

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CE07901CDB0A2ED6C963EAE0B2AA56FE E Global\MSI0000
2⤵
PID:1308

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 20F540BF85672E1C8B057101335D4589
2⤵
PID:368

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EC4070D405B62E92252D040039C2E392 E Global\MSI0000
2⤵
PID:1200

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4FF8921CDF31C914E025F4F61CD13874 C
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0838CD3-A4B4-4DDD-BEF9-47E0024956AA}
3⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF9BB784-FFA7-4CAA-8B38-5CC7ADE72FC4}
3⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CCEAA84-0CB4-4B8A-93E0-D553D698222E}
3⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0759BBD1-F21C-4A5A-9F72-7DC1A2484B93}
3⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73B7E2AD-02C1-4523-BB3C-7BC2840D45C1}
3⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4867195B-A7AC-429F-8DAE-F29EEBB4088E}
3⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C71151A-60E2-4454-9CCA-223E4E4822B6}
3⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8C525A4-B586-4584-A068-46493368A7F7}
3⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C431DD60-3257-44DE-AFC1-4A9D8E15DD71}
3⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{221270FE-FA2E-49B1-926B-AC205D79014D}
3⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8D258E87-7BEB-4769-9DF4-9AB2577C176F}
3⤵
PID:4640

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FE7D8FFA4086D8197CA89ACACAD55739
2⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81E5D15D-76BD-4DD3-8A37-3D9627F98A3E}
3⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F945CD6-C108-43D3-ACF0-FC81A77C72C7}
3⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4DAF545B-C33F-47D4-A314-2665AD9216C0}
3⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37C0C6A2-84DF-4894-B24E-0875A528F95B}
3⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{135FD7A2-0EEB-4B53-A466-32BB3899FFB7}
3⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2591956A-29AE-4BA2-8E00-F14D69E85ABA}
3⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F539B76-46D0-454C-B732-F28D3717A310}
3⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B8D960F-28CA-4D83-BB86-CD985481C5CE}
3⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9CB1A011-3286-4BD6-8A47-B0695525A902}
3⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2616F8ED-E41F-4581-BC40-392934C0C3D1}
3⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{918B6768-7C81-49B6-BDF4-3D11DC15469C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22FB5956-9C8B-47FA-94F9-424FF1DDF47C}
3⤵
PID:1436

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 07C8406CAE96096D3956907D0482F812 E Global\MSI0000
2⤵
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:180

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio\ActiveDirectoryToolbox.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio\ActiveDirectoryToolbox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{BB6D331A-6299-459D-849C-91C637AF2291}\SureSense Active Directory Toolbox.msi" SETUPEXEDIR="C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Studio" SETUPEXENAME="ActiveDirectoryToolbox.exe"
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4544

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server\SureSense_Server.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server\SureSense_Server.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{0F2E84C5-75A6-4D17-BE7A-EB33BE1140BB}\SureSense Server.msi" SETUPEXEDIR="C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server" SETUPEXENAME="SureSense_Server.exe"
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server\ActiveDirectoryToolbox.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server\ActiveDirectoryToolbox.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{01F222F4-78AC-4BD9-B292-E2D74D99F848}\SureSense_Server Active Directory Toolbox.msi" SETUPEXEDIR="C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Server" SETUPEXENAME="ActiveDirectoryToolbox.exe"
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3716

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Resources\jre-8u201-windows-x64.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Resources\jre-8u201-windows-x64.exe"
1⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\jds241133578.tmp\jre-8u201-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds241133578.tmp\jre-8u201-windows-x64.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Program Files\Java\jre1.8.0_201\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_201\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserWebJavaStatus
3⤵
PID:2784

C:\Program Files\Java\jre1.8.0_201\bin\javaw.exe
-Djdk.disableLastUsageTracking -cp "C:\Program Files\Java\jre1.8.0_201\bin\..\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -getUserPreviousDecisionsExist 30
3⤵
PID:2136

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Resources\jre-8u201-windows-x64.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Resources\jre-8u201-windows-x64.exe"
1⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\jds241167359.tmp\jre-8u201-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds241167359.tmp\jre-8u201-windows-x64.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1588

C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Web\SureSenseWeb.exe
"C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Web\SureSenseWeb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{86D419D1-3CBE-4F9E-A050-6D5F0FC288FC}\SureSense Web.msi" SETUPEXEDIR="C:\Users\Admin\Desktop\SureSense 6.2.0.61 Installers\Web" SETUPEXENAME="SureSenseWeb.exe"
2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery