Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-vwtk9sdd6y
Target fenix atc.7z
SHA256 4e24d3469f403d346aee8db502bcf8b774ab9558d1e00d1b1da869e15b6a72f6
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4e24d3469f403d346aee8db502bcf8b774ab9558d1e00d1b1da869e15b6a72f6

Threat Level: Shows suspicious behavior

The file fenix atc.7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:20

Reported

2024-04-04 17:51

Platform

win10-20240404-es

Max time kernel

315s

Max time network

1593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fenix atc\ATCFenixTelco.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\ATCFenixTelco.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fenix atc\ATCFenixTelco.exe

"C:\Users\Admin\AppData\Local\Temp\fenix atc\ATCFenixTelco.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 17:20

Reported

2024-04-04 17:51

Platform

win10-20240404-es

Max time kernel

852s

Max time network

1604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6673B1C-A73E-474C-92E4-AB5E94671004}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D84B75C-CFA2-465B-9E1E-7F006548EFF5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{323F3798-5552-42BB-B220-AC4A2C5D6C23}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{323F3798-5552-42BB-B220-AC4A2C5D6C23}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C69C7B9A-43FF-4CA5-A1FF-3121B57854B5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3D84B75C-CFA2-465B-9E1E-7F006548EFF5}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46856CFF-3BBB-45C9-B233-ECDEF7D7336C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{46856CFF-3BBB-45C9-B233-ECDEF7D7336C}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6A0EE08-3102-47BB-85E0-306695307D96}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6A0EE08-3102-47BB-85E0-306695307D96}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DEEE1BC3-7100-4E13-88EC-3BFD50FEEC89}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C69C7B9A-43FF-4CA5-A1FF-3121B57854B5}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6673B1C-A73E-474C-92E4-AB5E94671004}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DEEE1BC3-7100-4E13-88EC-3BFD50FEEC89}\InprocServer32\ C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MSBIND.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\MSSTDFMT.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\mtxas.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\perfc009.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\AUTPRX32.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\CLIREG32.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\COMCT332.OCX C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\MSCOMCT2.OCX C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\perfh009.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\MSDATGRD.OCX C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\TABCTL32.OCX C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\VB6STKIT.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\textField.ocx C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\MSCOMCTL.OCX C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SysWOW64\MSFLXGRD.OCX C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\PaginarATC.TLB C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\GATCFenix\ST6UNST.LOG C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\bllFenixTelco.TLB C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\Codifica.TLB C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\dalFenixTelco.TLB C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\GATCFenix\{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}\InterfazFACTURA.TLB C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\stornvme.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\capimg.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\iastorv.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\sdstor.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\urssynopsys.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File created C:\Windows\INF\capimg.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\sdstor.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\ufxsynopsys.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\mdmbtmdm.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\hdaudbus.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\ksfilter.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\iai2c.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\mtconfig.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\netevbda.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\hidir.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\iaLPSS2i_I2C_SKL.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\circlass.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\wdmaudio.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\netavpna.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\umpass.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\usbport.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\bcmfn2.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\errdev.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\usbstor.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\acpitime.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\iaLPSS2i_GPIO2_BXT_P.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\vstxraid.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File created C:\Windows\INF\iastorv.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\usb.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\iai2c.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\netbvbda.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\urschipidea.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\xinputhid.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\vstxraid.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\acpidev.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\usbport.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\buttonconverter.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\usbprint.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\wvmbus.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\iagpio.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\iaLPSS2i_GPIO2_SKL.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\umpass.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\uaspstor.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\iaLPSS2i_I2C_BXT_P.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\msgpiowin32.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\virtdisk.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\winusb.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File created C:\Windows\INF\input.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\usbhub3.PNF C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\{1382EE9A-F428-4369-96DD-923A48199735}.job C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\INF\wstorflt.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\errdev.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\ialpssi_gpio.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\wdmaudio.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\urssynopsys.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\wvmgid.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\ialpssi_i2c.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\iastorv.PNF C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\hidbatt.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\hidbth.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\nvdimmn.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\INF\xboxgip.PNF C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Programmable\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6AA700-D188-11CD-AD48-00AA003C9CB6}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ = "_DDataBoundAndDataSourceClass" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E3BF6AB-8E4E-4C0E-B29B-F3D2DF534266}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C51B910-900B-11D0-9484-00A0C91110ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCOMCTL.OCX" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C19B1691-4543-4993-9892-8E1795CFB605}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDE57A52-8B86-11D0-B3C6-00A0C90AEA82}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E60C550-7BD6-11D0-9482-00A0C91110ED}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\ProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2F13ED0-91B0-11D0-9484-00A0C91110ED}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603C7E7E-87C2-11D1-8BE3-0000F8754DA1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D91-E448-11D0-84A3-00DD01104159} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "6.0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\MiscStatus\1\ = "131473" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11D6141D-CB63-4777-A679-6B529B52CFA5}\InstalledVersion\ = "1,0,0,0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "131473" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DAF8-06D6-11D2-8D70-00A0C98B28E2}\TypeLib\ = "{38911DA0-E448-11D0-84A3-00DD01104159}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\ = "ImageListEvents" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20DD1B9D-87C4-11D1-8BE3-0000F8754DA1}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F26-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{38911D8F-E448-11D0-84A3-00DD01104159}\TypeLib\ = "{38911DA0-E448-11D0-84A3-00DD01104159}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38911D8F-E448-11D0-84A3-00DD01104159}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.SBarCtrl.2\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41C6678B-39FC-4147-AEC1-EA83E190DFCA}\AppID = "{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Control\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A4-8586-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.0\0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E67C3C6D-1314-473F-92AF-1C292D583170}\1.0\0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Licenses\ = "Licensing: Copying the keys may be a violation of established copyrights." C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5522DAF7-06D6-11D2-8D70-00A0C98B28E2}\ = "Band" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8EB26D16-0389-4306-8C61-344C752A9D0E}\AppID = "{A8CA5158-A021-465A-8B2D-A9D52D2F05F2}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}\Programmable\ C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56BF9020-7A2F-11D0-9482-00A0C91110ED}\1.0\FLAGS\ = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}\ C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CDE57A52-8B86-11D0-B3C6-00A0C90AEA82}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}\Required Categories C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus\ = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\TypeLib C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 2756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4324 wrote to memory of 2756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4324 wrote to memory of 2756 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2756 wrote to memory of 4588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 2756 wrote to memory of 4588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 2756 wrote to memory of 4588 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 1260 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 1260 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 1260 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe
PID 4324 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4324 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4324 wrote to memory of 1376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2756 wrote to memory of 3916 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe
PID 2756 wrote to memory of 3916 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe
PID 2756 wrote to memory of 3916 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe
PID 1260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2248 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3168 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3168 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 94B722DBF6921C3B1AAB63C7E2B771AF C

C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /groupsextract:100; /out:"C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites" /callbackid:2756

C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" /i "C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\GATCFenix" CLIENTPROCESSID="1260" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1260Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="LinkCreator,MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Tulpep Services" AI_MISSING_PREREQS="Link Creator" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\fenix atc\" EXE_CMD_LINE="/exenoupdates " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\fenix atc\FenixATCInstaller.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 918CB0791A687C072AF098ADB1AA54DA

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe

"C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "

C:\Windows\SysWOW64\attrib.exe

ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"

C:\Windows\SysWOW64\attrib.exe

ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\TULPEP~1\FENIXA~1.0\install\FENIXA~1.MSI"

C:\Windows\SysWOW64\attrib.exe

ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

C:\Windows\SysWOW64\attrib.exe

ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" cls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller.msi

MD5 bda8dc57111676f6b43f2d5bbe53dffb
SHA1 3ef31fe9ecaba05f94655a7ed648d4e95360635a
SHA256 bcd6373798ab7a398b5022d01ff3eb69338e7e4438816c8af88a61d357762b2c
SHA512 8ee3f8f9abaa752ed8760e645e3b337dfa079dd5c185a0c5caa8238edc64b21ba074b60880daba8b879bc371c6375b5784809783fa211b3152de0f7083e4f5bf

C:\Users\Admin\AppData\Local\Temp\MSI9319.tmp

MD5 55760599c990fee4c086e60299fa0dfc
SHA1 56505e3b1b3c934c8838c8daf4f69eb2de31e067
SHA256 40a493cb6d5a97cb5462f260ea0753ec47e07ac837d0e12d4cab33f985a5a14f
SHA512 c0a9b1ceb796d92362661d690ccb0fe0146c6d5b0edceb404b165544ceecc7ca9cf8ae36afafc96adae90837bd24e62b1cbfc50600fc676b2c19928fabd217aa

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1260\dialog

MD5 8d5de8960e1a6886365d3f1dc3f81fe4
SHA1 a3ea4a68c7c59d41daa2a12ec2ddd481bda8fe24
SHA256 6e1731d0bc8ceb2bb5677d4b0c5c76ca5510602e0707b19ecb6e8d6f6f51eb8f
SHA512 ac81f511a8dcbce9018569ea0c0fbaced44a3191466c77bb5ab5bc3aac313d08643803d7d11619fa7f8cf10411e870e9a73246ed6f84cea9121e78c3e150b94d

C:\Users\Admin\AppData\Local\Temp\MSI965A.tmp

MD5 bce340727602986cc8af524c0b9cd485
SHA1 03a542bb35d1d87e769488d6f23f0b2be29ba756
SHA256 cb5636ea725024d13398a51a487227deca2bbdeaa7bb046064ea3cd33b4680ef
SHA512 67faa08f55d878a455292b73ff0cbaaee9d81c7ab6a874e579143cf621fe22ac864c2be8ac9f9707a9cf52cf2c62754e54fa08be54501ed9d2327900a4079fc6

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1260\banner

MD5 64e447b9b303d386f4970839dc815705
SHA1 6042a4edc7d8e2ab41c589530283c3c43788ea0c
SHA256 ca9e2568668e53b2d5f8e276581f31d517cd8d490daba5013a743bd497de5f73
SHA512 2b35642edbb881cd45efc6cfbb3c39cedb235b0a17abe12c2194cd352109f9aeb646dd70279c2290ab8ea2e043528786fac61404733b7987eb8172c6ee81db98

C:\Users\Admin\AppData\Local\Temp\shi50F9.tmp

MD5 032bb369103dac02606fb919f6658f3c
SHA1 60b39428ab3493aab7babf3a1c5f2a951ae853bd
SHA256 daa61c42d53be45c7709a0b0f66a51a0a47ca84eab787e0627f6da255c96ddff
SHA512 0f1fb9bb34e699ee6d4a1dc58f99514fb1df81ad0cf37b3ffe938295a70d832a5702cec3df16d30d400c77014d09228e6d02d3e65d5d6d0f1c5e34f39d55e313

C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC 1.0\install\FenixATCInstaller1.cab

MD5 7135aa7efe759b7e0cb9dcf9e97decc2
SHA1 adbb38f5448afaa6319fc521e4f1a201b096013c
SHA256 95d0e7a9a24b64de615e408b80819d50272a126202e199f5849b03b45c281d8f
SHA512 65888da58a5e2bec2ba08f2ba0899c3f2976290a60e14353280960a1ba628e51cd5a5e8ce119f4ca9ff480f4bf72e6163b1b9ac07822278e1ea4ecf5653e9e91

C:\Config.Msi\e58555f.rbs

MD5 7c5a29ecb20c76f38ec79bf3fb4fc1bb
SHA1 1107c11200ef74a623a6584b4528cb8022f94cc4
SHA256 a523026d1c240b23a6e9f09474a4d1305c6237cd05949083556c546feb2e3948
SHA512 a6e1ba81def48a50e548563d90cec895c3c7eb71110c60d6c528b842a0e8f2ed8b6174982146bf6c04275b9ef804273f6b714f78ee5e037a8301c430abf0c65c

C:\Windows\Registration\R000000000008.clb

MD5 92d8821c54a5373c52f2e57f5c226015
SHA1 cb4efac6b966ecb5339923dc4df0fb12a89990a5
SHA256 2f15d7ca940e8ffd4fdbe888aa20fb34f852c6ee6bab1ab95542772ce7ff3557
SHA512 30767e2d583e57105f48532125f9de05160f89ca511264c6bf09c9b41a9c4f1a9d3a9c6d9b82608ca5f7eff70358a386e2eb1f58123d015418c1911ac8e65c58

C:\Users\Admin\AppData\Roaming\Tulpep Services\Fenix ATC\prerequisites\LinkCreator.exe

MD5 cb5af0df19fb79cd9e28214ea1cc63c6
SHA1 f96c597d9fe1f97a6db7722637a0376d861eb4cd
SHA256 804b33e2a9d7c6a5c21c1f2b138e84fa703156671411460395953b203f4d3eda
SHA512 fa5cb7da665c39013daa8f4cc8dcfb16c99f22b6b4a835ab5c35d7f0ea263e8318a1603ab48fd91a1218b0ab53f4f89169ba76213fcc623a7936f33c51e083ef

C:\Users\Admin\AppData\Local\Temp\EXE5288.tmp.bat

MD5 eaaf90b679bc25bc2dd01274b26a6f77
SHA1 4a5b148f002b2e20d18aa08d3ec30975b5e5ce1a
SHA256 ec2627a53a98411f35c2ad2006d9dcfde7b78522e4e50d381ea738ff1c5aeac4
SHA512 2a06b1749b525ba5a3ed7ff672e8c94fcfa2baac4aff98103ffa18149ed5e09d92d2a82d0b19153b821ee543281ad2e08d9aa7f6e623b9ec410a6da0593df021

C:\Users\Admin\AppData\Local\Temp\EXE5306.tmp.bat

MD5 673b8f14e6881c7fd676140fb34064a7
SHA1 0a77ea00c4b662e2e6dec4da1ef28b1e74efd1b2
SHA256 82a3f673899d47cc4057ac37286334ff353d13eac2a77c68bcfdab0944a18b8e
SHA512 abad273f53d98ca2b1efc76c0f1de0fd372793ae4f49bb43d8c2a5d9218ca55d3aade70fc6e4d0b22bc4c5f81e337e2a1d8c1a492370d824940752135d2c7131