Analysis Overview
SHA256
7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e
Threat Level: Likely malicious
The file 7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e was found to be: Likely malicious.
Malicious Activity Summary
Sets file execution options in registry
Drops file in Drivers directory
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Loads dropped DLL
Executes dropped EXE
Registers COM server for autorun
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Modifies system executable filetype association
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Modifies Control Panel
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-23 14:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 14:25
Reported
2024-05-23 14:27
Platform
win7-20240419-en
Max time kernel
44s
Max time network
119s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\DisableExceptionChainValidation = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\DisableExceptionChainValidation = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe | C:\Windows\system32\msiexec.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\drawerror.exe | N/A |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{0006F045-0000-0000-C000-000000000046}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{274C2936-A842-45f3-A457-FB4BA4ED1BA2}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b00580044004f0043005300460069006c0065007300360034003e00390026006000570060003600720038004e003900410032006900240027006c0062007a006100480000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E0D1EC-0A0D-4E50-B8A1-82A8B6ECE5CB}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONBttnIE.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{B8D12492-CE0F-40AD-83EA-099A03D493F1}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\INLAUNCH.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F90DFE0C-CBDF-41FF-8598-EDD8F222A2C8}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3133A7FE-BC5F-4D81-BF02-184ECC88D66E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONFILTER.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\URLREDIR.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB3F7806-3CB4-409C-BA3B-12D642BE371A}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\BCSLaunch.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\m: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\v: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\y: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\r: | C:\Windows\SysWOW64\cmd.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO" | C:\Windows\system32\msiexec.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "1.bmp" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOLoaderUI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\Custom.propdesc | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\VISSHE.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\NAMEEXT.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI4FEA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5425.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f764b73.mst | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4E62.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f764b8a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI501A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI501B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4D09.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4DE5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f764b72.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5099.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4ED1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5174.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f764b8a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f764b72.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f764b73.mst | C:\Windows\system32\msiexec.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\TileWallpaper = "2" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible = "Yes" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText = "OneNote Lin&ked Notes" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\CLSID = "{EC04D82C-AA59-4ba4-96B1-27BE3FF05E00}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText = "Send to OneNote" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "OneNote Linked Notes" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5054EC7-B9CB-4ad5-9F95-D8171A6D6BFA} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText = "Se&nd to OneNote" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2\CLSID\ = "{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.potm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes.14\CLSID\ = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB9C2AA-6036-4AE1-A41C-A40AB7F39520}\a.0\ = "Microsoft Visual Studio Tools for Office Execution Engine Type Library" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\BCSLaunch.Launcher.1\CLSID | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\FLAGS | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\odcdatabase.1\HTML Handler\ = "\"C:\\PROGRA~1\\MICROS~2\\Office14\\MSOHTMED.EXE\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Sharepoint.OpenXMLDocuments | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.ImageExtractorShellExt\CurVer | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pptm\ShellEx\PropertyHandler | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\PropertyHandler | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\ShellFolder\Attributes = 000010b8 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\Programmable | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AE2A4AD-F2F4-4BA7-98B1-67C96736CD5F}\ = "IOneNoteIEAddinButton" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.IconHandlerShellExt\CLSID | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner.1\CLSID | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\ProgID | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\TypeLib\ = "{CBBC4772-C9A4-4FE8-B34B-5EFBD68F8E27}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\URLRedirection.URLRedirectionBHO\CLSID\ = "{B4F3A835-0E21-4959-BA22-42B3008E02FF}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\odcnew.1\HTML Handler\Icon\ = ".odcnewfile" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{A37BBB42-E8C1-4E09-B9CA-F009CE620C08}\ProgID | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\0\win32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll\\104" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{803EDC90-F4C6-4B8D-BB5F-869EA2AF2B03}\ProxyStubClsid | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsb\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Sharepoint.OpenXMLDocuments.2\ = "SharepointOpenXMLDocuments" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiTokenActivationSigner\CurVer | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Interface\{096CD5DE-0786-11D1-95FA-0080C78EE3BB}\TypeLib | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F2FD001-0148-474e-843E-D6D37A848D62}\ = "Microsoft OneNote Windows Desktop Search IFilter Base Class ID" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gif | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.QuickViewShellExt.1\CLSID | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\ManualSafeSave = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E3C66D5-58D4-491E-A7D4-64AF99AF6E8B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkContentService\CurVer\ = "OneNote.NoteLinkContentService.14" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\URLRedirection.URLRedirectionBHO\CLSID | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\ = "Office Open XML Format Word Filter" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes\ = "Linked Notes button" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteLinkStoreService.14\CLSID\ = "{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe
"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"
\??\c:\drawerror.exe
c:\drawerror.exe
\??\c:\Ghost.exe
c:\Ghost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\ÓðÒí.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /im 360tray.exe /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\reg.exe
reg add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\subst.exe
subst b: C:\
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\1.bat
C:\Windows\SysWOW64\subst.exe
subst h: C:\
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\subst.exe
subst i: C:\
C:\Windows\SysWOW64\subst.exe
subst j: C:\
C:\Windows\SysWOW64\subst.exe
subst l: C:\
C:\Windows\SysWOW64\subst.exe
subst m: C:\
C:\Windows\SysWOW64\subst.exe
subst n: C:\
C:\Windows\SysWOW64\subst.exe
subst o: C:\
C:\Windows\SysWOW64\subst.exe
subst r: C:\
C:\Windows\SysWOW64\subst.exe
subst t: C:\
C:\Windows\SysWOW64\subst.exe
subst k: C:\
C:\Windows\SysWOW64\subst.exe
subst p: C:\
C:\Windows\SysWOW64\subst.exe
subst q: C:\
C:\Windows\SysWOW64\subst.exe
subst s: C:\
C:\Windows\SysWOW64\subst.exe
subst u: C:\
C:\Windows\SysWOW64\subst.exe
subst v: C:\
C:\Windows\SysWOW64\subst.exe
subst w: C:\
C:\Windows\SysWOW64\subst.exe
subst x: C:\
C:\Windows\SysWOW64\subst.exe
subst y: C:\
C:\Windows\SysWOW64\subst.exe
subst z: C:\
C:\Windows\SysWOW64\taskkill.exe
taskkill /im explorer.exe /f
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89AA0E1518C1DEBB53FCDBCF430BD7F0
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 9652108142304D125EDC4B35EFDC49F5
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding ADE103713802510539AB0E24DFDE9BA8 M Global\MSI0000
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\±øÍÅ.bat
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\ascaris.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
Network
Files
memory/3020-0-0x0000000000400000-0x00000000010CA000-memory.dmp
C:\drawerror.exe
| MD5 | a4b655c4580fad879c431ac265bd1409 |
| SHA1 | f98d37a7c2a5a24f7d6871c87d150de4417e00ad |
| SHA256 | 2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad |
| SHA512 | af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854 |
C:\Ghost.exe
| MD5 | 69c97e6fcc20eda26024caedc87449f3 |
| SHA1 | 1d784041e60c83b6b5bd1a644a5daff8d7ddb627 |
| SHA256 | a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a |
| SHA512 | de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec |
C:\ÓðÒí.bat
| MD5 | 8f0b90a560cc05a8fe5068d4db3087bd |
| SHA1 | 1d53e5256d162964cf38cf1d73ae6db8a633ea6d |
| SHA256 | 6db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e |
| SHA512 | df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6 |
C:\1.bat
| MD5 | ccff006fd8c4150a18669ced52244d6a |
| SHA1 | 743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e |
| SHA256 | 3c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e |
| SHA512 | 114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79 |
C:\1.bat
| MD5 | c6c7b4dcc81c27c76c49dfd2acee715e |
| SHA1 | ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7 |
| SHA256 | edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21 |
| SHA512 | b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898 |
memory/2664-41-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Windows\Installer\MSI4D09.tmp
| MD5 | d1f5ce6b23351677e54a245f46a9f8d2 |
| SHA1 | 0d5c6749401248284767f16df92b726e727718ca |
| SHA256 | 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc |
| SHA512 | 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba |
C:\Windows\Installer\MSI4DE5.tmp
| MD5 | 4a843a97ae51c310b573a02ffd2a0e8e |
| SHA1 | 063fa914ccb07249123c0d5f4595935487635b20 |
| SHA256 | 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086 |
| SHA512 | 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2 |
C:\Windows\Installer\MSI4FEA.tmp
| MD5 | 85221b3bcba8dbe4b4a46581aa49f760 |
| SHA1 | 746645c92594bfc739f77812d67cfd85f4b92474 |
| SHA256 | f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f |
| SHA512 | 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d |
C:\Windows\Installer\MSI501B.tmp
| MD5 | 33908aa43ac0aaabc06a58d51b1c2cca |
| SHA1 | 0a0d1ce3435abe2eed635481bac69e1999031291 |
| SHA256 | 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783 |
| SHA512 | d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46 |
C:\Windows\Installer\MSI5174.tmp
| MD5 | ff58cd07bf4913ef899efd2dfb112553 |
| SHA1 | f14c1681de808543071602f17a6299f8b4ba2ae8 |
| SHA256 | 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391 |
| SHA512 | 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3 |
C:\±øÍÅ.bat
| MD5 | 32f678c01c8d5edca7ecaf35937259f6 |
| SHA1 | 7079515682536cf2366bcdf0f44a8ce83a17c806 |
| SHA256 | 80552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94 |
| SHA512 | 2833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a |
\Users\Admin\AppData\Local\Temp\ascaris.dll
| MD5 | 4520eee1da294b6c8428cea200b81d18 |
| SHA1 | 2d1478c5aef0934db397b8c593ec2432d9809b83 |
| SHA256 | 9b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd |
| SHA512 | aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0 |
memory/3020-202-0x0000000010000000-0x00000000100B3000-memory.dmp
C:\ascaris.bat
| MD5 | 54552eebfc4c487d01daa63048efa72c |
| SHA1 | 7f0ef347eeae3b26efb3c24a83d03958cb7fa3ab |
| SHA256 | b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f |
| SHA512 | a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23 |
memory/3020-214-0x0000000010000000-0x00000000100B3000-memory.dmp
memory/3020-218-0x0000000010000000-0x00000000100B3000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | cc86e1a5224fcaa035e618fa766d5b53 |
| SHA1 | 09913248e3983ee751bddca919599e9f5a07685a |
| SHA256 | 1aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926 |
| SHA512 | 177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 14:25
Reported
2024-05-23 14:27
Platform
win10v2004-20240508-en
Max time kernel
53s
Max time network
150s
Command Line
Signatures
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools = "1" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\drawerror.exe | N/A |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "c:\\cc.ico" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\r: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\t: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\v: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\g: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\i: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\o: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\q: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\x: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\j: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\p: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\y: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\z: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\k: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\m: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\n: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\s: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\w: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\l: | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened (read-only) | \??\u: | C:\Windows\SysWOW64\cmd.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "1.bmp" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\TileWallpaper = "2" | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jpe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.asf\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.txt | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.jfif\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmv | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mvb | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.zip | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.avi\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.chm | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wav | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.avi | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ico | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ra | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.chm\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.jfif | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.flv\ = "txtfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.3g2 | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
| N/A | N/A | \??\c:\Ghost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe
"C:\Users\Admin\AppData\Local\Temp\7850216edcd60c113621c5bf237f2f220cd46bf3f1266016a0197e342f24373e.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x40c
\??\c:\drawerror.exe
c:\drawerror.exe
\??\c:\Ghost.exe
c:\Ghost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\ÓðÒí.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /im 360tray.exe /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\1.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\1.bat
C:\Windows\SysWOW64\reg.exe
reg add
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v nodrives /t REG_DWORD /d 60 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\subst.exe
subst b: C:\
C:\Windows\SysWOW64\subst.exe
subst h: C:\
C:\Windows\SysWOW64\subst.exe
subst i: C:\
C:\Windows\SysWOW64\subst.exe
subst j: C:\
C:\Windows\SysWOW64\subst.exe
subst l: C:\
C:\Windows\SysWOW64\subst.exe
subst m: C:\
C:\Windows\SysWOW64\subst.exe
subst n: C:\
C:\Windows\SysWOW64\subst.exe
subst o: C:\
C:\Windows\SysWOW64\subst.exe
subst r: C:\
C:\Windows\SysWOW64\subst.exe
subst t: C:\
C:\Windows\SysWOW64\subst.exe
subst k: C:\
C:\Windows\SysWOW64\subst.exe
subst p: C:\
C:\Windows\SysWOW64\subst.exe
subst q: C:\
C:\Windows\SysWOW64\subst.exe
subst s: C:\
C:\Windows\SysWOW64\subst.exe
subst u: C:\
C:\Windows\SysWOW64\subst.exe
subst v: C:\
C:\Windows\SysWOW64\subst.exe
subst w: C:\
C:\Windows\SysWOW64\subst.exe
subst x: C:\
C:\Windows\SysWOW64\subst.exe
subst y: C:\
C:\Windows\SysWOW64\subst.exe
subst z: C:\
C:\Windows\SysWOW64\taskkill.exe
taskkill /im explorer.exe /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideClock /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 01000000 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoViewContextMenu /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARW\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWinKeys /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\±øÍÅ.bat
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\ascaris.bat
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im 360tray.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/2692-0-0x0000000000400000-0x00000000010CA000-memory.dmp
C:\drawerror.exe
| MD5 | a4b655c4580fad879c431ac265bd1409 |
| SHA1 | f98d37a7c2a5a24f7d6871c87d150de4417e00ad |
| SHA256 | 2eba41b0399d91c5677f9ead8beb2610f94026a6a91c84ff7a4f19cfafbe61ad |
| SHA512 | af7124caef5babde34421550f1aef4c74b88ddd657c3eaf4af5887a61b6b8c31b09b199886cab92a87eb089502f049c11da266c900de02c8310058b4c704e854 |
C:\Ghost.exe
| MD5 | 69c97e6fcc20eda26024caedc87449f3 |
| SHA1 | 1d784041e60c83b6b5bd1a644a5daff8d7ddb627 |
| SHA256 | a70f454dd1b123be4dda9ee8e22e3a5f414397b8a7ce221647d2e12f9244146a |
| SHA512 | de7f603f33ac35ceb1ef769e9a349f3887be451af1d7ea71996496db9584f820c483ae4c6db672b2b47b2c9330effe2cffac6a30aafe9396edb78fb680f776ec |
\??\c:\ÓðÒí.bat
| MD5 | 8f0b90a560cc05a8fe5068d4db3087bd |
| SHA1 | 1d53e5256d162964cf38cf1d73ae6db8a633ea6d |
| SHA256 | 6db71de3499a83a9602d693e99d36127772c743b595e26f36c69cba2e2186f2e |
| SHA512 | df375eac9903fbe5675806f078e0faf0bb7342737ee34359edd3e55866ce5ecd27b09c5e8fff06e1463fe2ebb18bfbf93ce19adbcee986effa1dcbcd34a602a6 |
C:\1.bat
| MD5 | ccff006fd8c4150a18669ced52244d6a |
| SHA1 | 743fe1b7fe0a8215fbb5eeeb95e55ba4f39cb01e |
| SHA256 | 3c32ecce41201efa27dd4e18d5d0b88c429fc9427829f565512e44b487ce120e |
| SHA512 | 114e98ad958e4cbdad94d24753c2a67a1080160c4fa35d9839420aa5de9f28446794c606b29d58f342f7316421ecfb877741957cd979736ea9fcfae06981bf79 |
C:\1.bat
| MD5 | c6c7b4dcc81c27c76c49dfd2acee715e |
| SHA1 | ef6a2a2ccb276bc9a057cd0d6f0bd3867d1988b7 |
| SHA256 | edc099fdfa8210f123cdc51dfb3256cc7dc3c0af614fd63e3c1d6182bf37ae21 |
| SHA512 | b9d1aba58a20238e3870c9785a43d1c64273b3c332d545f8c363d02844214f6dcd3332c35281b2663ed2192728c33d915d457615c6f4057a1dccdea188d38898 |
memory/1832-25-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ascaris.dll
| MD5 | 4520eee1da294b6c8428cea200b81d18 |
| SHA1 | 2d1478c5aef0934db397b8c593ec2432d9809b83 |
| SHA256 | 9b2c140b6c47666024128b8ac9f1e8b2fe041caf6d286eec638018beb48394cd |
| SHA512 | aff152ec0672597c483d15fe04fe7ddf55155827a2df588ab83efc45301cedb670be23a566ee8c268e497d33e21b48ee8723ad812d253f9d1f284e3324734ac0 |
memory/2692-42-0x0000000010000000-0x00000000100B3000-memory.dmp
\??\c:\±øÍÅ.bat
| MD5 | 32f678c01c8d5edca7ecaf35937259f6 |
| SHA1 | 7079515682536cf2366bcdf0f44a8ce83a17c806 |
| SHA256 | 80552c862831e82ffa22045b26efeef84e89576f0ab385b5b87d8467d98b9e94 |
| SHA512 | 2833b2fd557b51505d8a2a251b664e51944c1a5e65109b76719d6ac970c3058159460b3d9205ab98ce65c32c066d52f1320fc79170c2b06a02c5ecbecaadcc7a |
\??\c:\ascaris.bat
| MD5 | 54552eebfc4c487d01daa63048efa72c |
| SHA1 | 7f0ef347eeae3b26efb3c24a83d03958cb7fa3ab |
| SHA256 | b085349f14e199ee7344ae9120898da281b6d410d6b595dffddb55f3645a251f |
| SHA512 | a1dc49c221da7ebe12229807664b164bc99bff4fa918cfd31a818ce779566b9e8d7eef22355b187dfa8d064d4ed92d164465a604ef79c824065a7e5e60669b23 |
memory/2692-51-0x0000000010000000-0x00000000100B3000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | cc86e1a5224fcaa035e618fa766d5b53 |
| SHA1 | 09913248e3983ee751bddca919599e9f5a07685a |
| SHA256 | 1aaf0d85389d6359d30f2d0f0942f8e1369871e75350f4fbcf1edd79836d9926 |
| SHA512 | 177ecec47415e30c91e46576f472b9371818c73964b02c275a3e8f525fc5f6436d911cbb36ee72de15907f8e9b4c2bc2b5bbe662f44762ecec1120a99a2eef3b |