Analysis
-
max time kernel
44s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 14:25
Static task
static1
Behavioral task
behavioral1
Sample
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe
Resource
win10v2004-20240508-en
General
-
Target
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe
-
Size
12.7MB
-
MD5
aae56f19fc8319d8246b55167bbb7dfc
-
SHA1
2f7defd3b091f0bbc773e13751f135713f282edf
-
SHA256
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e
-
SHA512
104cbab242eed12b215a3786cc5d7795faed3ed3792b5d296a634ff48ec28571590a4af68f7139bfc09c9c0dee2821434faaf70a97231b72f434f49195451dd4
-
SSDEEP
196608:g07lhv4+zaZK4DT81o3LAKmP0R/7pS2E5RV9BYb3mnSdK/zvwpyFl1v6psjLm:z7zxzaZKt1o3IP0RsLRVk4fFl1v6pQ
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Sets file execution options in registry 2 TTPs 7 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\DisableExceptionChainValidation = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe msiexec.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\ascaris.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
drawerror.exeGhost.exepid process 2664 drawerror.exe 2828 Ghost.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exe7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exepid process 6324 MsiExec.exe 6324 MsiExec.exe 6324 MsiExec.exe 6324 MsiExec.exe 6324 MsiExec.exe 6324 MsiExec.exe 6324 MsiExec.exe 6596 MsiExec.exe 6844 MsiExec.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0006F045-0000-0000-C000-000000000046}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b00580044004f0043005300460069006c0065007300360034003e00390026006000570060003600720038004e003900410032006900240027006c0062007a006100480000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIE.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B8D12492-CE0F-40AD-83EA-099A03D493F1}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\INLAUNCH.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONFILTER.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InprocServer32\ThreadingModel = "Both" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\URLREDIR.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB3F7806-3CB4-409C-BA3B-12D642BE371A}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\BCSLaunch.dll" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\ascaris.dll upx behavioral1/memory/3020-202-0x0000000010000000-0x00000000100B3000-memory.dmp upx behavioral1/memory/3020-214-0x0000000010000000-0x00000000100B3000-memory.dmp upx behavioral1/memory/3020-218-0x0000000010000000-0x00000000100B3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.execmd.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\k: cmd.exe File opened (read-only) \??\j: cmd.exe File opened (read-only) \??\s: cmd.exe File opened (read-only) \??\x: cmd.exe File opened (read-only) \??\n: cmd.exe File opened (read-only) \??\p: cmd.exe File opened (read-only) \??\w: cmd.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\h: cmd.exe File opened (read-only) \??\l: cmd.exe File opened (read-only) \??\m: cmd.exe File opened (read-only) \??\o: cmd.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\i: cmd.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\e: cmd.exe File opened (read-only) \??\v: cmd.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\g: cmd.exe File opened (read-only) \??\q: cmd.exe File opened (read-only) \??\u: cmd.exe File opened (read-only) \??\y: cmd.exe File opened (read-only) \??\z: cmd.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\t: cmd.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\r: cmd.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO" msiexec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "1.bmp" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Drops file in Program Files directory 44 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config msiexec.exe File created C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\Custom.propdesc msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE msiexec.exe File created C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc msiexec.exe File created C:\Program Files\Microsoft Office\Office14\VISSHE.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL msiexec.exe File created C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll msiexec.exe File created C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE msiexec.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL msiexec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI4FEA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5425.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764b73.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI4E62.tmp msiexec.exe File created C:\Windows\Installer\f764b8a.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI501A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI501B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D09.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4DE5.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764b72.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5099.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4ED1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5174.tmp msiexec.exe File opened for modification C:\Windows\Installer\f764b8a.ipi msiexec.exe File created C:\Windows\Installer\f764b72.msi msiexec.exe File created C:\Windows\Installer\f764b73.mst msiexec.exe -
Kills process with taskkill 17 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5408 taskkill.exe 1760 taskkill.exe 6552 taskkill.exe 6704 taskkill.exe 2792 taskkill.exe 6496 taskkill.exe 6900 taskkill.exe 6640 taskkill.exe 6756 taskkill.exe 7104 taskkill.exe 560 taskkill.exe 7028 taskkill.exe 2924 taskkill.exe 5848 taskkill.exe 1808 taskkill.exe 1372 taskkill.exe 6952 taskkill.exe -
Modifies Control Panel 2 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\TileWallpaper = "2" 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible = "Yes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText = "OneNote Lin&ked Notes" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\CLSID = "{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\Policy = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText = "Send to OneNote" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "OneNote Linked Notes" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText = "Se&nd to OneNote" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "3" msiexec.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2\CLSID\ = "{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.potm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes.14\CLSID\ = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB9C2AA-6036-4AE1-A41C-A40AB7F39520}\a.0\ = "Microsoft Visual Studio Tools for Office Execution Engine Type Library" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\BCSLaunch.Launcher.1\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8} msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\FLAGS msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odcdatabase.1\HTML Handler\ = "\"C:\\PROGRA~1\\MICROS~2\\Office14\\MSOHTMED.EXE\" \"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Sharepoint.OpenXMLDocuments msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.ImageExtractorShellExt\CurVer msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pptm\ShellEx\PropertyHandler msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\PropertyHandler msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\ShellFolder\Attributes = 000010b8 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\Programmable msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE2A4AD-F2F4-4BA7-98B1-67C96736CD5F}\ = "IOneNoteIEAddinButton" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.IconHandlerShellExt\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner.1\CLSID msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\TypeLib\ = "{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLRedirection.URLRedirectionBHO\CLSID\ = "{B4F3A835-0E21-4959-BA22-42B3008E02FF}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odcnew.1\HTML Handler\Icon\ = ".odcnewfile" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\ProgID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\0\win32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll\\104" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{803EDC90-F4C6-4B8D-BB5F-869EA2AF2B03}\ProxyStubClsid msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Sharepoint.OpenXMLDocuments.2\ = "SharepointOpenXMLDocuments" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\CurVer msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "txtfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F2FD001-0148-474e-843E-D6D37A848D62}\ = "Microsoft OneNote Windows Desktop Search IFilter Base Class ID" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gif cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.QuickViewShellExt.1\CLSID msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\ManualSafeSave = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkContentService\CurVer\ = "OneNote.NoteLinkContentService.14" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\URLRedirection.URLRedirectionBHO\CLSID msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\ = "Office Open XML Format Word Filter" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes\ = "Linked Notes button" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkStoreService.14\CLSID\ = "{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exepid process 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2924 taskkill.exe Token: SeDebugPrivilege 5848 taskkill.exe Token: SeDebugPrivilege 5408 taskkill.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeSecurityPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeSecurityPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe Token: SeTakeOwnershipPrivilege 6204 msiexec.exe Token: SeRestorePrivilege 6204 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Ghost.exepid process 2828 Ghost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exeGhost.exepid process 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe 2828 Ghost.exe 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.execmd.execmd.exedescription pid process target process PID 3020 wrote to memory of 2664 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe drawerror.exe PID 3020 wrote to memory of 2664 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe drawerror.exe PID 3020 wrote to memory of 2664 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe drawerror.exe PID 3020 wrote to memory of 2664 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe drawerror.exe PID 3020 wrote to memory of 2828 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe Ghost.exe PID 3020 wrote to memory of 2828 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe Ghost.exe PID 3020 wrote to memory of 2828 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe Ghost.exe PID 3020 wrote to memory of 2828 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe Ghost.exe PID 3020 wrote to memory of 2496 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe cmd.exe PID 3020 wrote to memory of 2496 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe cmd.exe PID 3020 wrote to memory of 2496 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe cmd.exe PID 3020 wrote to memory of 2496 3020 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe cmd.exe PID 2496 wrote to memory of 2600 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 2600 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 2600 2496 cmd.exe cmd.exe PID 2496 wrote to memory of 2600 2496 cmd.exe cmd.exe PID 2600 wrote to memory of 2464 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2464 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2464 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2464 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2472 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2472 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2472 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2472 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2512 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2512 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2512 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2512 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1696 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1696 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1696 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1696 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2092 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2092 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2092 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2092 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2404 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2404 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2404 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2404 2600 cmd.exe cmd.exe PID 2496 wrote to memory of 2924 2496 cmd.exe taskkill.exe PID 2496 wrote to memory of 2924 2496 cmd.exe taskkill.exe PID 2496 wrote to memory of 2924 2496 cmd.exe taskkill.exe PID 2496 wrote to memory of 2924 2496 cmd.exe taskkill.exe PID 2600 wrote to memory of 2356 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2356 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2356 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 2356 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1732 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1732 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1732 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1732 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1020 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1020 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1020 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1020 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1632 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1632 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1632 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1632 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1536 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1536 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1536 2600 cmd.exe cmd.exe PID 2600 wrote to memory of 1536 2600 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"1⤵
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\drawerror.exec:\drawerror.exe2⤵
- Executes dropped EXE
PID:2664 -
\??\c:\Ghost.exec:\Ghost.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c c:\ÓðÒí.bat2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:3804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:4796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:5016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:5112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:3316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:4416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:5140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵PID:5200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat6⤵
- Modifies registry class
PID:5416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:1504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:4292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:3528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵
- Modifies registry class
PID:5568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat5⤵PID:5700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:4868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\1.bat4⤵PID:5396
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 360tray.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SysWOW64\reg.exereg add3⤵PID:1772
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f3⤵PID:3344
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f3⤵PID:4548
-
C:\Windows\SysWOW64\subst.exesubst b: C:\3⤵PID:5376
-
C:\Windows\SysWOW64\subst.exesubst h: C:\3⤵PID:5828
-
C:\Windows\SysWOW64\subst.exesubst i: C:\3⤵PID:5964
-
C:\Windows\SysWOW64\subst.exesubst j: C:\3⤵PID:6088
-
C:\Windows\SysWOW64\subst.exesubst l: C:\3⤵PID:6132
-
C:\Windows\SysWOW64\subst.exesubst m: C:\3⤵PID:6140
-
C:\Windows\SysWOW64\subst.exesubst n: C:\3⤵PID:4912
-
C:\Windows\SysWOW64\subst.exesubst o: C:\3⤵PID:4960
-
C:\Windows\SysWOW64\subst.exesubst r: C:\3⤵PID:5012
-
C:\Windows\SysWOW64\subst.exesubst t: C:\3⤵PID:5056
-
C:\Windows\SysWOW64\subst.exesubst k: C:\3⤵PID:4548
-
C:\Windows\SysWOW64\subst.exesubst p: C:\3⤵PID:4124
-
C:\Windows\SysWOW64\subst.exesubst q: C:\3⤵PID:5300
-
C:\Windows\SysWOW64\subst.exesubst s: C:\3⤵PID:5332
-
C:\Windows\SysWOW64\subst.exesubst u: C:\3⤵PID:5364
-
C:\Windows\SysWOW64\subst.exesubst v: C:\3⤵PID:2172
-
C:\Windows\SysWOW64\subst.exesubst w: C:\3⤵PID:5616
-
C:\Windows\SysWOW64\subst.exesubst x: C:\3⤵PID:4548
-
C:\Windows\SysWOW64\subst.exesubst y: C:\3⤵PID:4124
-
C:\Windows\SysWOW64\subst.exesubst z: C:\3⤵PID:5316
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f3⤵PID:6344
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f3⤵PID:6368
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵PID:6384
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f3⤵PID:6396
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f3⤵PID:6404
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f3⤵PID:6412
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f3⤵PID:6420
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f3⤵PID:6428
-
C:\Windows\SysWOW64\cmd.execmd /c c:\1.bat2⤵PID:5764
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5848 -
C:\Windows\SysWOW64\cmd.execmd /c c:\±øÍÅ.bat2⤵
- Enumerates connected drives
PID:6168 -
C:\Windows\SysWOW64\cmd.execmd /c c:\ascaris.bat2⤵PID:6184
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:1760 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:1808 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:2792 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6496 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6552 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6704 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6756 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:1372 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6900 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:6952 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:7028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:7104 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 360tray.exe2⤵
- Kills process with taskkill
PID:560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Sets file execution options in registry
- Registers COM server for autorun
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:6204 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 89AA0E1518C1DEBB53FCDBCF430BD7F02⤵
- Loads dropped DLL
PID:6324 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 9652108142304D125EDC4B35EFDC49F52⤵
- Loads dropped DLL
PID:6596 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding ADE103713802510539AB0E24DFDE9BA8 M Global\MSI00002⤵
- Loads dropped DLL
PID:6844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Browser Extensions
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28B
MD5ccff006fd8c4150a18669ced52244d6a
SHA1743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e
SHA2563c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e
SHA512114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79
-
Filesize
18B
MD5c6c7b4dcc81c27c76c49dfd2acee715e
SHA1ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7
SHA256edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21
SHA512b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898
-
Filesize
20KB
MD569c97e6fcc20eda26024caedc87449f3
SHA11d784041e60c83b6b5bd1a644a5daff8d7ddb627
SHA256a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a
SHA512de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec
-
Filesize
257KB
MD5d1f5ce6b23351677e54a245f46a9f8d2
SHA10d5c6749401248284767f16df92b726e727718ca
SHA25657cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba
-
Filesize
363KB
MD54a843a97ae51c310b573a02ffd2a0e8e
SHA1063fa914ccb07249123c0d5f4595935487635b20
SHA256727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2
-
Filesize
28KB
MD585221b3bcba8dbe4b4a46581aa49f760
SHA1746645c92594bfc739f77812d67cfd85f4b92474
SHA256f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d
-
Filesize
148KB
MD533908aa43ac0aaabc06a58d51b1c2cca
SHA10a0d1ce3435abe2eed635481bac69e1999031291
SHA2564447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46
-
Filesize
86KB
MD5ff58cd07bf4913ef899efd2dfb112553
SHA1f14c1681de808543071602f17a6299f8b4ba2ae8
SHA2561afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA51223e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3
-
Filesize
840B
MD5cc86e1a5224fcaa035e618fa766d5b53
SHA109913248e3983ee751bddca919599e9f5a07685a
SHA2561aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926
SHA512177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b
-
Filesize
13KB
MD554552eebfc4c487d01daa63048efa72c
SHA17f0ef347eeae3b26efb3c24a83d03958cb7fa3ab
SHA256b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f
SHA512a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23
-
Filesize
9KB
MD5a4b655c4580fad879c431ac265bd1409
SHA1f98d37a7c2a5a24f7d6871c87d150de4417e00ad
SHA2562eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad
SHA512af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854
-
Filesize
166B
MD532f678c01c8d5edca7ecaf35937259f6
SHA17079515682536cf2366bcdf0f44a8ce83a17c806
SHA25680552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94
SHA5122833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a
-
Filesize
2KB
MD58f0b90a560cc05a8fe5068d4db3087bd
SHA11d53e5256d162964cf38cf1d73ae6db8a633ea6d
SHA2566db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e
SHA512df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6
-
Filesize
224KB
MD54520eee1da294b6c8428cea200b81d18
SHA12d1478c5aef0934db397b8c593ec2432d9809b83
SHA2569b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd
SHA512aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0