Malware Analysis Report

2024-10-19 11:03

Sample ID 240523-rrdgpseb6y
Target 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e
SHA256 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e
Tags
adware evasion persistence ransomware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e

Threat Level: Likely malicious

The file 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e was found to be: Likely malicious.

Malicious Activity Summary

adware evasion persistence ransomware stealer upx

Sets file execution options in registry

Drops file in Drivers directory

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Modifies system executable filetype association

Adds Run key to start application

Enumerates connected drives

Installs/modifies Browser Helper Object

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Modifies Control Panel

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 14:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 14:25

Reported

2024-05-23 14:27

Platform

win7-20240419-en

Max time kernel

44s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\DisableExceptionChainValidation = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\DisableExceptionChainValidation = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\msiexec.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\drawerror.exe N/A
N/A N/A \??\c:\Ghost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0006F045-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b00580044004f0043005300460069006c0065007300360034003e00390026006000570060003600720038004e003900410032006900240027006c0062007a006100480000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIE.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B8D12492-CE0F-40AD-83EA-099A03D493F1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\INLAUNCH.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONFILTER.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\URLREDIR.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB3F7806-3CB4-409C-BA3B-12D642BE371A}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\BCSLaunch.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\cmd.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO" C:\Windows\system32\msiexec.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "1.bmp" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\Custom.propdesc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\VISSHE.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI4FEA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5425.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f764b73.mst C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E62.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764b8a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI501A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI501B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4D09.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4DE5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f764b72.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5099.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4ED1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5174.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f764b8a.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764b72.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f764b73.mst C:\Windows\system32\msiexec.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\TileWallpaper = "2" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible = "Yes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText = "OneNote Lin&ked Notes" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\CLSID = "{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText = "Send to OneNote" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "OneNote Linked Notes" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText = "Se&nd to OneNote" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "3" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2\CLSID\ = "{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.potm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes.14\CLSID\ = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB9C2AA-6036-4AE1-A41C-A40AB7F39520}\a.0\ = "Microsoft Visual Studio Tools for Office Execution Engine Type Library" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\BCSLaunch.Launcher.1\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8} C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\FLAGS C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odcdatabase.1\HTML Handler\ = "\"C:\\PROGRA~1\\MICROS~2\\Office14\\MSOHTMED.EXE\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Sharepoint.OpenXMLDocuments C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.ImageExtractorShellExt\CurVer C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pptm\ShellEx\PropertyHandler C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\PropertyHandler C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\ShellFolder\Attributes = 000010b8 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\Programmable C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE2A4AD-F2F4-4BA7-98B1-67C96736CD5F}\ = "IOneNoteIEAddinButton" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.IconHandlerShellExt\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner.1\CLSID C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\TypeLib\ = "{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLRedirection.URLRedirectionBHO\CLSID\ = "{B4F3A835-0E21-4959-BA22-42B3008E02FF}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odcnew.1\HTML Handler\Icon\ = ".odcnewfile" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\ProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\0\win32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll\\104" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{803EDC90-F4C6-4B8D-BB5F-869EA2AF2B03}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Sharepoint.OpenXMLDocuments.2\ = "SharepointOpenXMLDocuments" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\CurVer C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F2FD001-0148-474e-843E-D6D37A848D62}\ = "Microsoft OneNote Windows Desktop Search IFilter Base Class ID" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gif C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.QuickViewShellExt.1\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\ManualSafeSave = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkContentService\CurVer\ = "OneNote.NoteLinkContentService.14" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\URLRedirection.URLRedirectionBHO\CLSID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\ = "Office Open XML Format Word Filter" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes\ = "Linked Notes button" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkStoreService.14\CLSID\ = "{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A \??\c:\Ghost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 3020 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 3020 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 3020 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 3020 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 3020 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 3020 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 3020 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 3020 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2496 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2496 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2496 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2600 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe

"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"

\??\c:\drawerror.exe

c:\drawerror.exe

\??\c:\Ghost.exe

c:\Ghost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\ÓðÒí.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /im 360tray.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\reg.exe

reg add

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\subst.exe

subst b: C:\

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\1.bat

C:\Windows\SysWOW64\subst.exe

subst h: C:\

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\subst.exe

subst i: C:\

C:\Windows\SysWOW64\subst.exe

subst j: C:\

C:\Windows\SysWOW64\subst.exe

subst l: C:\

C:\Windows\SysWOW64\subst.exe

subst m: C:\

C:\Windows\SysWOW64\subst.exe

subst n: C:\

C:\Windows\SysWOW64\subst.exe

subst o: C:\

C:\Windows\SysWOW64\subst.exe

subst r: C:\

C:\Windows\SysWOW64\subst.exe

subst t: C:\

C:\Windows\SysWOW64\subst.exe

subst k: C:\

C:\Windows\SysWOW64\subst.exe

subst p: C:\

C:\Windows\SysWOW64\subst.exe

subst q: C:\

C:\Windows\SysWOW64\subst.exe

subst s: C:\

C:\Windows\SysWOW64\subst.exe

subst u: C:\

C:\Windows\SysWOW64\subst.exe

subst v: C:\

C:\Windows\SysWOW64\subst.exe

subst w: C:\

C:\Windows\SysWOW64\subst.exe

subst x: C:\

C:\Windows\SysWOW64\subst.exe

subst y: C:\

C:\Windows\SysWOW64\subst.exe

subst z: C:\

C:\Windows\SysWOW64\taskkill.exe

taskkill /im explorer.exe /f

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 89AA0E1518C1DEBB53FCDBCF430BD7F0

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 9652108142304D125EDC4B35EFDC49F5

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding ADE103713802510539AB0E24DFDE9BA8 M Global\MSI0000

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\±øÍÅ.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\ascaris.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

Network

Files

memory/3020-0-0x0000000000400000-0x00000000010CA000-memory.dmp

C:\drawerror.exe

MD5 a4b655c4580fad879c431ac265bd1409
SHA1 f98d37a7c2a5a24f7d6871c87d150de4417e00ad
SHA256 2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad
SHA512 af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

C:\Ghost.exe

MD5 69c97e6fcc20eda26024caedc87449f3
SHA1 1d784041e60c83b6b5bd1a644a5daff8d7ddb627
SHA256 a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a
SHA512 de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec

C:\ÓðÒí.bat

MD5 8f0b90a560cc05a8fe5068d4db3087bd
SHA1 1d53e5256d162964cf38cf1d73ae6db8a633ea6d
SHA256 6db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e
SHA512 df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6

C:\1.bat

MD5 ccff006fd8c4150a18669ced52244d6a
SHA1 743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e
SHA256 3c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e
SHA512 114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79

C:\1.bat

MD5 c6c7b4dcc81c27c76c49dfd2acee715e
SHA1 ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7
SHA256 edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21
SHA512 b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898

memory/2664-41-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Windows\Installer\MSI4D09.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

C:\Windows\Installer\MSI4DE5.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

C:\Windows\Installer\MSI4FEA.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Windows\Installer\MSI501B.tmp

MD5 33908aa43ac0aaabc06a58d51b1c2cca
SHA1 0a0d1ce3435abe2eed635481bac69e1999031291
SHA256 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512 d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

C:\Windows\Installer\MSI5174.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

C:\±øÍÅ.bat

MD5 32f678c01c8d5edca7ecaf35937259f6
SHA1 7079515682536cf2366bcdf0f44a8ce83a17c806
SHA256 80552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94
SHA512 2833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a

\Users\Admin\AppData\Local\Temp\ascaris.dll

MD5 4520eee1da294b6c8428cea200b81d18
SHA1 2d1478c5aef0934db397b8c593ec2432d9809b83
SHA256 9b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd
SHA512 aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0

memory/3020-202-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\ascaris.bat

MD5 54552eebfc4c487d01daa63048efa72c
SHA1 7f0ef347eeae3b26efb3c24a83d03958cb7fa3ab
SHA256 b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f
SHA512 a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23

memory/3020-214-0x0000000010000000-0x00000000100B3000-memory.dmp

memory/3020-218-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 cc86e1a5224fcaa035e618fa766d5b53
SHA1 09913248e3983ee751bddca919599e9f5a07685a
SHA256 1aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926
SHA512 177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 14:25

Reported

2024-05-23 14:27

Platform

win10v2004-20240508-en

Max time kernel

53s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"

Signatures

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\drawerror.exe N/A
N/A N/A \??\c:\Ghost.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\cmd.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\cmd.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "1.bmp" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\TileWallpaper = "2" C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.asf\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wmv C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mvb C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.png C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.avi\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.html C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.chm C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wav C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.avi C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ico C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ra C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.chm\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jfif C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.flv\ = "txtfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3g2 C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A \??\c:\Ghost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 2692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 2692 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\drawerror.exe
PID 2692 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 2692 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 2692 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe \??\c:\Ghost.exe
PID 2692 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3128 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3128 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4644 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe

"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f4 0x40c

\??\c:\drawerror.exe

c:\drawerror.exe

\??\c:\Ghost.exe

c:\Ghost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\ÓðÒí.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /im 360tray.exe /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\1.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\1.bat

C:\Windows\SysWOW64\reg.exe

reg add

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\subst.exe

subst b: C:\

C:\Windows\SysWOW64\subst.exe

subst h: C:\

C:\Windows\SysWOW64\subst.exe

subst i: C:\

C:\Windows\SysWOW64\subst.exe

subst j: C:\

C:\Windows\SysWOW64\subst.exe

subst l: C:\

C:\Windows\SysWOW64\subst.exe

subst m: C:\

C:\Windows\SysWOW64\subst.exe

subst n: C:\

C:\Windows\SysWOW64\subst.exe

subst o: C:\

C:\Windows\SysWOW64\subst.exe

subst r: C:\

C:\Windows\SysWOW64\subst.exe

subst t: C:\

C:\Windows\SysWOW64\subst.exe

subst k: C:\

C:\Windows\SysWOW64\subst.exe

subst p: C:\

C:\Windows\SysWOW64\subst.exe

subst q: C:\

C:\Windows\SysWOW64\subst.exe

subst s: C:\

C:\Windows\SysWOW64\subst.exe

subst u: C:\

C:\Windows\SysWOW64\subst.exe

subst v: C:\

C:\Windows\SysWOW64\subst.exe

subst w: C:\

C:\Windows\SysWOW64\subst.exe

subst x: C:\

C:\Windows\SysWOW64\subst.exe

subst y: C:\

C:\Windows\SysWOW64\subst.exe

subst z: C:\

C:\Windows\SysWOW64\taskkill.exe

taskkill /im explorer.exe /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\±øÍÅ.bat

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\ascaris.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im 360tray.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/2692-0-0x0000000000400000-0x00000000010CA000-memory.dmp

C:\drawerror.exe

MD5 a4b655c4580fad879c431ac265bd1409
SHA1 f98d37a7c2a5a24f7d6871c87d150de4417e00ad
SHA256 2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad
SHA512 af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854

C:\Ghost.exe

MD5 69c97e6fcc20eda26024caedc87449f3
SHA1 1d784041e60c83b6b5bd1a644a5daff8d7ddb627
SHA256 a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a
SHA512 de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec

\??\c:\ÓðÒí.bat

MD5 8f0b90a560cc05a8fe5068d4db3087bd
SHA1 1d53e5256d162964cf38cf1d73ae6db8a633ea6d
SHA256 6db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e
SHA512 df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6

C:\1.bat

MD5 ccff006fd8c4150a18669ced52244d6a
SHA1 743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e
SHA256 3c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e
SHA512 114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79

C:\1.bat

MD5 c6c7b4dcc81c27c76c49dfd2acee715e
SHA1 ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7
SHA256 edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21
SHA512 b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898

memory/1832-25-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ascaris.dll

MD5 4520eee1da294b6c8428cea200b81d18
SHA1 2d1478c5aef0934db397b8c593ec2432d9809b83
SHA256 9b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd
SHA512 aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0

memory/2692-42-0x0000000010000000-0x00000000100B3000-memory.dmp

\??\c:\±øÍÅ.bat

MD5 32f678c01c8d5edca7ecaf35937259f6
SHA1 7079515682536cf2366bcdf0f44a8ce83a17c806
SHA256 80552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94
SHA512 2833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a

\??\c:\ascaris.bat

MD5 54552eebfc4c487d01daa63048efa72c
SHA1 7f0ef347eeae3b26efb3c24a83d03958cb7fa3ab
SHA256 b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f
SHA512 a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23

memory/2692-51-0x0000000010000000-0x00000000100B3000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 cc86e1a5224fcaa035e618fa766d5b53
SHA1 09913248e3983ee751bddca919599e9f5a07685a
SHA256 1aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926
SHA512 177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b