Malware Analysis Report

2024-09-22 14:51

Sample ID 240619-scc33axbpq
Target finalshell_install.msi.vir
SHA256 9861a44622f62ea87dd8ce53ef752d5af92dc60f8e012f72f1873fd462b4e0e0
Tags
persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9861a44622f62ea87dd8ce53ef752d5af92dc60f8e012f72f1873fd462b4e0e0

Threat Level: Known bad

The file finalshell_install.msi.vir was found to be: Known bad.

Malicious Activity Summary

persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Detect PurpleFox Rootkit

PurpleFox

Gh0strat

Gh0st RAT payload

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Installer Packages

Program crash

Enumerates physical storage devices

NSIS installer

Runs ping.exe

Gathers network information

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:58

Reported

2024-06-19 15:02

Platform

win7-20240508-en

Max time kernel

150s

Max time network

124s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defenderr\librdkafka.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\TrackerUI.sys C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\Windows Defenderr\TrackerUI.sys C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\Windows Defenderr\2 C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f769ea0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9F1D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f769ea1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f769ea1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f769ea3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f769ea4.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f769ea7.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC2B7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f769ea9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f769ea4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f769ea0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA036.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f769ea7.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files\Windows Defenderr\Phone.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductName = "FinalShell" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\PackageCode = "1035B3F7A8404EF48BDE65DC9EC88B15" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Version = "67305482" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\PackageName = "finalshell_install.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductIcon = "C:\\Windows\\Installer\\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\\finalshell2001.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\Phone.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 3020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2168 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2416 wrote to memory of 2100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2100 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 2100 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 2100 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 2100 wrote to memory of 2780 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 2780 wrote to memory of 2656 N/A C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2656 N/A C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2656 N/A C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2656 N/A C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\SysWOW64\WerFault.exe
PID 1632 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 948 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe
PID 1632 wrote to memory of 1960 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A5E1C7F10E63ADD0D9E931768EDCDE27 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003D4" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DB032785993C818CC9960F73A8C0D9A1

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000544" "0000000000000530"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 57B26C51C01BF424E65E7215FC54B247

C:\Program Files\Windows Defenderr\Phone.exe

"C:\Program Files\Windows Defenderr\Phone.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 176

C:\Windows\system32\taskeng.exe

taskeng.exe {3D965777-3E24-47D1-9490-8787365DC536} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe

C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe

C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe

C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F47128F7-F7A3-4631-85BA-07xv2Dw5260F}\Phone.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pplilv.bond udp
HK 154.19.85.129:80 pplilv.bond tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI2E41.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\COPYRIGHT

MD5 4586c3797f538d41b7b2e30e8afebbc9
SHA1 3419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA256 7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512 f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\LICENSE

MD5 16989bab922811e28b64ac30449a5d05
SHA1 51ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA256 86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA512 86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe

MD5 c1c11656f36a5b2b7bf514a6cf4ddf54
SHA1 1b99cfe6a5c16c88b3a4efb3874127ea2bb0d420
SHA256 47600daab17337f9c268426027ffd9ed2cf1a1774ff84cb81e24ed61b7c7407b
SHA512 b546d7b59706b02cffd1ed3927981ff85e6f992afe0f69261780d6c40636b0ce3782954497dfeefea058d196a6e62e2f568da28a90961357b4fe39f3d52a0eae

C:\Config.Msi\f769ea2.rbs

MD5 b870dd2509003ee77d9483926a65fdbd
SHA1 5e6b23ef36a51db74d19271d65344859ffd73131
SHA256 fa482a42f8885fa7fd650897c9eeddeb8335086bf362561f8ae067e62c239ef1
SHA512 5b9eb5929ee36c11ed23956e944ab146fad603b982da0e202438e476d7d3da356c6b238416111b45e3038a59225924f22e605bf2a106303ce703ac660d22f3ac

memory/3020-264-0x0000000000290000-0x0000000000292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi

MD5 7813c15b89e15b8af723338db9bd5936
SHA1 2308be3f8f1c3f46cd2eb14189c19c0e2deef8c5
SHA256 17fcf1aacf2981cff65f7d0f3f03029c15eebfd7f71790cdf0f03553895d4152
SHA512 ef1b63b1b8b670610bcc5b461457d5b58fca57577b7cf8442183c921ed516b7a87f48b4fde9d325dcc087cb090d7f8992f1eec2a68d1c06c263b6ea93470faeb

C:\Program Files\Windows Defenderr\2

MD5 de5b9a4e125ac870b304a80fc829f888
SHA1 d82d45dbeb3c2d702b6bb6b4c28a95d357b86316
SHA256 992d22609eb21b384ac3965d18cca4fa620e2a743451db60d19794eafe553362
SHA512 471249934c2560ccd166ca559e9d73622a4653a7226a2e7ff3c0225dcd882d9d78e8676342938c6c6e56d6167a37d8e96423b2de6f6a5f9740424191481fb725

C:\Program Files\Windows Defenderr\1

MD5 a8a5c802a0ba7779cd378a4ed88a1645
SHA1 c78967d9cf1fa6017757b93891b423854952b4ef
SHA256 b7247f59f232b373c2473f869c8269a7ef46ad29bbc64403a29c697313b6ae74
SHA512 329b43bbf38ac5b547c69f1301c8899ae24a044009051236df2678911cd636961731a4f274cd55381a86cab3dd74dabee2cb25d8968361991d516cdf7d945709

C:\Config.Msi\f769ea8.rbs

MD5 ef00698b55c79980dadc6a9df1f4e820
SHA1 d45e661787283a83029d6b3b618264c9c860c79e
SHA256 4eae406fb5af1acf65d7dbf88e253253812446e19867990b2a1220f13f235e23
SHA512 03b71ec72a02be88ca8987c36ac90794c35c4e77193cb82fd9bb2ddcf3b616faadaa367d5813ffc232741a78f1035ad557d11d7e13208c642a1836a893418975

memory/2780-314-0x0000000000240000-0x000000000033E000-memory.dmp

C:\ProgramData\{14B2A052-3CA3-4d7d-8CE0-A8xvDFw50F17}\{F3F305A2-E5E7-488d-A947-75xvA2w51D0B}.exe

MD5 d96a742899aeab9eaba691861908e316
SHA1 777f988457a9265431e8119bd2d579f264f565f5
SHA256 1d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3
SHA512 cc3f75a0d2abe5860acefebda2d44dba7259d7f28e32dfd41d3d7361df7f4195deb49e8c7f7d74f09bffdd8a39fde5a0eeee222a92bdef3f773379284aadf582

memory/948-334-0x0000000000BB0000-0x0000000000CAE000-memory.dmp

memory/2780-335-0x0000000000240000-0x000000000033E000-memory.dmp

memory/1960-353-0x0000000000100000-0x00000000001FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 14:58

Reported

2024-06-19 15:02

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\W: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\N: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\K: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\T: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\X: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\E: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\H: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\P: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\S: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\R: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defenderr\1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\TrackerUI.sys C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Program Files\Windows Defenderr\TrackerUI.sys C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\Windows Defenderr\Phone.exe C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Program Files\Windows Defenderr\2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Windows Defenderr\librdkafka.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID455.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58cfe1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58cfe5.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58cfde.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{3C963879-488B-4A1C-BB5D-DF7EFE72A13D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDF72.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58cfe1.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID099.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58cfde.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID176.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\finalshell2001.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58cfe0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID165.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files\Windows Defenderr\Phone.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2613129C24CE43458177D2F46601180 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\syswow64\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductName = "FinalShell" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\PackageCode = "1035B3F7A8404EF48BDE65DC9EC88B15" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\PackageName = "finalshell_install.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5E649081D8F82F94F8CAEACB1569FBE9\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\Version = "67305482" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files\Windows Defenderr\Phone.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5E649081D8F82F94F8CAEACB1569FBE9\ProductIcon = "C:\\Windows\\Installer\\{180946E5-8F8D-49F2-8FAC-AEBC5196BF9E}\\finalshell2001.exe" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\Phone.exe N/A
N/A N/A C:\Program Files\Windows Defenderr\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A
N/A N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 1612 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 1612 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 1612 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 4392 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5056 wrote to memory of 4392 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5056 wrote to memory of 3004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 3004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 3004 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 1044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 1044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 5056 wrote to memory of 1044 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1044 wrote to memory of 1544 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 1044 wrote to memory of 1544 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 1044 wrote to memory of 1544 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files\Windows Defenderr\Phone.exe
PID 1400 wrote to memory of 1616 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1616 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 1616 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1616 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1616 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1616 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1616 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1616 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1400 wrote to memory of 4700 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 4700 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 4700 N/A C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4700 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4700 wrote to memory of 336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1616 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1616 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1616 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6CBE5EF477CFB9B004EAD60D7A0914B4 C

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1D6537D7ECC0F787185807ED7463F470

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1B93FE0B6FA40D3A230B78F1FB1277FD

C:\Program Files\Windows Defenderr\Phone.exe

"C:\Program Files\Windows Defenderr\Phone.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe

C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1584

C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe

C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmd" "

C:\Windows\SysWOW64\tasklist.exe

tasklist /fi "PID eq 1400"

C:\Windows\SysWOW64\findstr.exe

findstr /i "1400"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ipconfig /flushdns

C:\Windows\SysWOW64\ipconfig.exe

ipconfig /flushdns

C:\Windows\SysWOW64\PING.EXE

ping -n 20 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 pplilv.bond udp
HK 154.19.85.129:80 pplilv.bond tcp
US 8.8.8.8:53 129.85.19.154.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
HK 154.19.85.129:80 pplilv.bond tcp
HK 107.148.73.225:10200 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI27C.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\COPYRIGHT

MD5 4586c3797f538d41b7b2e30e8afebbc9
SHA1 3419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA256 7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512 f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\LICENSE

MD5 16989bab922811e28b64ac30449a5d05
SHA1 51ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA256 86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA512 86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe

MD5 c1c11656f36a5b2b7bf514a6cf4ddf54
SHA1 1b99cfe6a5c16c88b3a4efb3874127ea2bb0d420
SHA256 47600daab17337f9c268426027ffd9ed2cf1a1774ff84cb81e24ed61b7c7407b
SHA512 b546d7b59706b02cffd1ed3927981ff85e6f992afe0f69261780d6c40636b0ce3782954497dfeefea058d196a6e62e2f568da28a90961357b4fe39f3d52a0eae

C:\Config.Msi\e58cfdf.rbs

MD5 f76c00f0810fe8beb1174f93ae33f3ab
SHA1 03b61a09b0cad7b8d5279889b99753a7eda4e359
SHA256 38e29e1644440a57f2bce462b25e4c73048b049f35578a316208ad94b2cf9463
SHA512 a746eb3371ba3c78d64440df5d7c538fa2dec12b0e4b953b4fd69e3ef937bb9fa1e176c63d20c85a467c48b9a03a12dd6c5ade8f750366594da5289481385f92

C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi

MD5 7813c15b89e15b8af723338db9bd5936
SHA1 2308be3f8f1c3f46cd2eb14189c19c0e2deef8c5
SHA256 17fcf1aacf2981cff65f7d0f3f03029c15eebfd7f71790cdf0f03553895d4152
SHA512 ef1b63b1b8b670610bcc5b461457d5b58fca57577b7cf8442183c921ed516b7a87f48b4fde9d325dcc087cb090d7f8992f1eec2a68d1c06c263b6ea93470faeb

C:\Program Files\Windows Defenderr\2

MD5 de5b9a4e125ac870b304a80fc829f888
SHA1 d82d45dbeb3c2d702b6bb6b4c28a95d357b86316
SHA256 992d22609eb21b384ac3965d18cca4fa620e2a743451db60d19794eafe553362
SHA512 471249934c2560ccd166ca559e9d73622a4653a7226a2e7ff3c0225dcd882d9d78e8676342938c6c6e56d6167a37d8e96423b2de6f6a5f9740424191481fb725

C:\Program Files\Windows Defenderr\1

MD5 a8a5c802a0ba7779cd378a4ed88a1645
SHA1 c78967d9cf1fa6017757b93891b423854952b4ef
SHA256 b7247f59f232b373c2473f869c8269a7ef46ad29bbc64403a29c697313b6ae74
SHA512 329b43bbf38ac5b547c69f1301c8899ae24a044009051236df2678911cd636961731a4f274cd55381a86cab3dd74dabee2cb25d8968361991d516cdf7d945709

C:\Config.Msi\e58cfe4.rbs

MD5 7baa1650709da878468a41a635501cd4
SHA1 3b427389639f7eabb82103982e93d897075a0023
SHA256 40ab9494aadec3f7396face8fce6b40a15bc3782b6e225fc6dc3497523d7fdd6
SHA512 848ef8e9cb449b9b766e4d92245bfe102916bc6815f33b436c324ac60020c2c3a5852a1e08c03df411e5df6cd6da7bc44ad16773fd9c2ac11d6aea302d9e134a

\??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8d315ea7-8fa7-4ae3-bfd6-b6dc71ed14aa}_OnDiskSnapshotProp

MD5 2e2e5d4e468d0d85102740f0703c6bb6
SHA1 9818832fb444e1a85a3d18915649be6401b15dbe
SHA256 d780fa9f08a295ef1c0975fc42d6451b37320571cdea953564dc47979a1fb21a
SHA512 89d415ecc5d1daf1b0d613d81f47fdb8fc8530d00de9acf1efa30bded54562016a11f54974e5157704e493d6d552acb7e5d2d722ab91e5a3fc832f6cc44fdf37

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1acf5f3d3b194d6dbfa1e44de089c0b4
SHA1 470f89dee065f0a213cd48675353c6be1a225c31
SHA256 b41a87e96e8ed44d2ff0d0f4cf90578b7716114e235cea730f9494622f09fea2
SHA512 95d85b621f6cd70900ad519521562c937e441a1e0b5213ff5d97566448780cfbc441af49891c0e241022eeebfb9c1beb7321d50bef628fab08528b2159954d02

memory/1544-376-0x0000000000F80000-0x000000000107E000-memory.dmp

C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{6D54FAA2-99A5-47e2-B101-E5xvCCw59D76}.exe

MD5 d96a742899aeab9eaba691861908e316
SHA1 777f988457a9265431e8119bd2d579f264f565f5
SHA256 1d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3
SHA512 cc3f75a0d2abe5860acefebda2d44dba7259d7f28e32dfd41d3d7361df7f4195deb49e8c7f7d74f09bffdd8a39fde5a0eeee222a92bdef3f773379284aadf582

memory/2700-390-0x0000000000DE0000-0x0000000000EDE000-memory.dmp

memory/1544-391-0x0000000000F80000-0x000000000107E000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmd

MD5 2652de69af27cd85463fec04ef48eaba
SHA1 e04ad0123527b4733e26c8c46fba8ced09bc06f9
SHA256 45d30abfee01e6f3c4e10755dcff642103a26ea7b2d7381f0fbc90564e3f6c6a
SHA512 86d933bb4bf605ec2a7ee1a6ac9b396e792593de18ab212045e980ca80fe014615c9281a8df25208451d9efeeaec63a2bd16b9f4ee8100dbb74acc00c0feb7a2

memory/1400-403-0x0000000010290000-0x000000001044A000-memory.dmp

memory/1400-405-0x0000000010290000-0x000000001044A000-memory.dmp