Malware Analysis Report

2024-09-11 07:13

Sample ID 240530-3mepraee2y
Target e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
SHA256 e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16
Tags
discovery execution exploit persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16

Threat Level: Likely malicious

The file e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution exploit persistence upx

Possible privilege escalation attempt

Creates new service(s)

UPX packed file

Modifies file permissions

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-30 23:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 23:37

Reported

2024-05-30 23:42

Platform

win7-20231129-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"

Signatures

Creates new service(s)

persistence execution

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\background.jpg C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File created C:\Program Files\Windows Media Player\mpsvc.dll C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File created C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File created C:\Program Files\Windows Media Player\wmixedwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2720 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2720 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2720 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2720 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2720 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2720 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2396 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\system32\cmd.exe
PID 2396 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2912 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2912 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2628 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2628 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2628 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own

C:\Windows\system32\cmd.exe

cmd /c ""C:\kkxqbh.bat" "

C:\Windows\system32\sc.exe

sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 sta.alie3ksgee.com udp
HK 103.146.158.221:80 sta.alie3ksgee.com tcp

Files

memory/2396-0-0x000000013F86D000-0x000000013F86F000-memory.dmp

memory/2396-5-0x000000013F860000-0x000000013F89C000-memory.dmp

memory/2396-3-0x0000000002210000-0x000000000223C000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 90b85ffbdeead1be861d59134ea985b0
SHA1 55e9859aa7dba87678e7c529b571fdf6b7181339
SHA256 ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA512 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

C:\kkxqbh.bat

MD5 44a3af72a2e7efad7f05b5b264f2b133
SHA1 cfd7c8451a0c6e8123328b18f96bec50d04b50ab
SHA256 471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4
SHA512 3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a

memory/2396-27-0x0000000002210000-0x000000000223C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 23:37

Reported

2024-05-30 23:42

Platform

win10-20240404-en

Max time kernel

299s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"

Signatures

Creates new service(s)

persistence execution

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmixedwk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmixedwk.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1612.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\240.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1276.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\system32\SearchProtocolHost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\4428.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\700.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\4960.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\2684.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\2468.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\4936.hecate C:\Windows\system32\svchost.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\info C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\1580.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\2108.hecate C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\804.hecate C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 2684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 1580 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 700 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 4960 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 2108 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 2468 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 240 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 1276 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 set thread context of 804 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File created C:\Program Files\Windows Media Player\wmixedwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File opened for modification C:\Program Files\Windows Media Player\mpsvc.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpa C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File created C:\Program Files\Windows Media Player\background.jpg C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File created C:\Program Files\Windows Media Player\mpsvc.dll C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxds C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpp C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File created C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ppqqxpb C:\Windows\system32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\SearchIndexer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice\Hash = "KUxeViXgfZ0=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000979cc668eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.3g2 = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.raw = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\Hash = "hcWxZID/+P4=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\Hash = "I/zSEvi/eRs=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.TS = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\Hash = "1OHwB4nWAgk=" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\Hash = "yXPQ4YxOPpk=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\ProgId = "AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1315f69eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091fbb7f6eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "70ehGIqrwIU=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001562ac68eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b481569eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Contact file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\yzzg C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.adts\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice\Hash = "/OQEch02awE=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd008b68eab2da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS\UserChoice\Hash = "snhtDXLVLCI=" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice\ProgId = "AppX6eg8h5sxqq90pv53845wmnbewywdqq5h" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.m4v = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.dib = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.bmp = "1" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc" C:\Windows\system32\SearchProtocolHost.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 748 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1028 wrote to memory of 792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1028 wrote to memory of 4584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1028 wrote to memory of 4584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2932 wrote to memory of 2228 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2932 wrote to memory of 2228 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 2932 wrote to memory of 3892 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2932 wrote to memory of 3892 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 1976 wrote to memory of 4992 N/A C:\Program Files\Windows Media Player\wmixedwk.exe C:\Windows\system32\svchost.exe
PID 748 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 748 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\System32\cmd.exe
PID 748 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4936 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 656 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 1612 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4344 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4344 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2236 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2236 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 4428 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 2684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 2684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe
PID 4992 wrote to memory of 2684 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe

"C:\Users\Admin\AppData\Local\Temp\e6de332ad778f7a7cf160efa60656c3ac960dc77806905493d5cffe58ee1de16.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Program Files\Windows Media Player\wmixedwk.exe

"C:\Program Files\Windows Media Player\wmixedwk.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" cmd /c sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\kkxqbh.bat" "

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\sc.exe

sc create "Accecss Auto Connetcion Manager" binPath= "C:\Program Files\Windows Media Player\wmixedwk.exe" START= auto DISPLAYNAME= "WebServer" TYPE= own

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 3

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692

C:\Windows\system32\svchost.exe

"C:\Windows\system32\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sta.alie3ksgee.com udp
HK 103.146.158.221:80 sta.alie3ksgee.com tcp
US 8.8.8.8:53 221.158.146.103.in-addr.arpa udp
US 8.8.8.8:53 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
US 8.8.8.8:53 202.48.108.182.in-addr.arpa udp
HK 103.146.158.221:80 sta.alie3ksgee.com tcp
US 8.8.8.8:53 cl.alie3ksgff.com udp
US 149.28.212.217:6666 cl.alie3ksgff.com udp
US 8.8.8.8:53 217.212.28.149.in-addr.arpa udp
CN 182.108.48.202:6666 myxqbh.top udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp
CN 182.108.48.202:6666 myxqbh.top udp

Files

memory/748-0-0x00007FF68914D000-0x00007FF68914F000-memory.dmp

memory/748-3-0x00000201799F0000-0x0000020179A1C000-memory.dmp

memory/748-5-0x00007FF689140000-0x00007FF68917C000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 90b85ffbdeead1be861d59134ea985b0
SHA1 55e9859aa7dba87678e7c529b571fdf6b7181339
SHA256 ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA512 8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

memory/2932-19-0x00000158C7770000-0x00000158C7780000-memory.dmp

memory/2932-35-0x00000158C7870000-0x00000158C7880000-memory.dmp

memory/2932-51-0x00000158CBD90000-0x00000158CBD98000-memory.dmp

C:\Program Files\Windows Media Player\mpsvc.dll

MD5 7b207ce9f9d71dfc2eaa2e959634a54d
SHA1 8222daa0c820e50d02ffabdc55dfb7461bbaa1e5
SHA256 757af7a540628004b446117be432342674f7830fa008f97a5f4a1ac386954bc2
SHA512 6ffbe6e33768e2fbea8c7cee428eb4b61e3eb1dd12e470de363f1d6e274296adabc8d1e681fe5a5f2b1dc8e8eb08bd360572bfd34706e82580c51be57f6fcf5a

C:\Program Files\Windows Media Player\background.jpg

MD5 9ba59c9cdc78e180449aa174c12449de
SHA1 4e3b16fedae56779fd46b1e1eef4be9787d29d35
SHA256 a76ae040e6bac7e2a55acd35549e8f51fea02e525631334ca092f82e1ba26908
SHA512 f47f2f1961eb157fe587ed565c9c579a4a48b8633fa72e16ab31911f7c75fe3704b5bbafa98d6f09945bb6a6652530ffbfe569de6474d182266ad8e619b9a1e2

memory/4992-69-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-72-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-71-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-68-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4936-80-0x0000000140000000-0x000000014011B000-memory.dmp

memory/4936-79-0x0000000140000000-0x000000014011B000-memory.dmp

memory/4936-83-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1612-93-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1612-94-0x0000000140000000-0x000000014011B000-memory.dmp

C:\kkxqbh.bat

MD5 44a3af72a2e7efad7f05b5b264f2b133
SHA1 cfd7c8451a0c6e8123328b18f96bec50d04b50ab
SHA256 471ff503db8bd1d39701d587ec4f2d3c97c2843a53e812fe726c970f7306fbb4
SHA512 3d2009c7d4b82fd970ced78fe97b0d5ed08ca7a33480969deb5345195e50877e5efe8f80eeca86c63c5f87cc3779f7f9aba47eb1cca1c29656cb4f74bfd4e14a

memory/1612-92-0x0000000140000000-0x000000014011B000-memory.dmp

memory/656-91-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/656-89-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/656-88-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/656-86-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/656-85-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/4936-82-0x0000000140000000-0x000000014011B000-memory.dmp

memory/656-87-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/656-84-0x0000000140000000-0x00000001400D1000-memory.dmp

memory/4936-78-0x0000000140000000-0x000000014011B000-memory.dmp

memory/748-76-0x00000201799F0000-0x0000020179A1C000-memory.dmp

memory/4992-67-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-66-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-65-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-64-0x0000000140000000-0x0000000140026000-memory.dmp

memory/4992-63-0x0000000140000000-0x0000000140026000-memory.dmp

C:\Windows\Temp\aad9f05a9a826b65ff2b94740ca196c2

MD5 e31b6384f95f1bea7a1083557a05001e
SHA1 d711a24f5ab7dfd64565c1b5d8ec174cc7322800
SHA256 60e60279a0ec2bb915c564b47c6f8aca8de702a7e1b3ec0712d415dc8c559890
SHA512 74a691e526432c01b7495709f672d66fd3246d7e6299234181c56a9de25aee8c590616cae3d9796201368a47c205a017f499df32cf7f5358f2c3a6f58e90a641