Malware Analysis Report

2024-12-07 14:29

Sample ID 241013-agg9gatbmn
Target SFMC-1.0.15.5-Setup-Full.exe
SHA256 40cb94e431dac4df195e08238d262a416ec313c1e8acdf4b58231297dc2439c2
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

40cb94e431dac4df195e08238d262a416ec313c1e8acdf4b58231297dc2439c2

Threat Level: Likely malicious

The file SFMC-1.0.15.5-Setup-Full.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 00:10

Reported

2024-10-13 00:13

Platform

win7-20240903-en

Max time kernel

142s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\System Functions Software\Media Center Themer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File opened for modification C:\Program Files (x86)\System Functions Software\Media Center Themer\ICSharpCode.SharpZipLib.dll C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File opened for modification C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File created C:\Program Files (x86)\System Functions Software\Media Center Themer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File created C:\Program Files (x86)\System Functions Software\Media Center Themer\is-RTM0R.tmp C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File created C:\Program Files (x86)\System Functions Software\Media Center Themer\is-PKQUK.tmp C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File created C:\Program Files (x86)\System Functions Software\Media Center Themer\is-MKR5R.tmp C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
File created C:\Program Files (x86)\System Functions Software\Media Center Themer\is-FCA54.tmp C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ehome\backups\Microsoft.MediaCenter.Shell.dll C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
File created C:\Windows\ehome\ehres.dll C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
File created C:\Windows\ehome\backups\ehres.dll C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
File opened for modification C:\Windows\ehome\backups\ehres.dll C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mct\DefaultIcon C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file\shell\open\command\ = "\"C:\\Program Files (x86)\\System Functions Software\\Media Center Themer\\MCThemerUI.exe\" \"%1\"" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mct C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file\ = "Media Center Theme data file" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mct\DefaultIcon\ = "\"C:\\ProgramData\\System Functions Software\\MediaCenterThemer\\MCT-Icon.ico\"" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mct\ = "mct_auto_file" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file\shell C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file\shell\open C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mct_auto_file\shell\open\command C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193" C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2332 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp
PID 2540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Windows\SysWOW64\taskkill.exe
PID 2540 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
PID 2540 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
PID 2540 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
PID 2540 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe
PID 476 wrote to memory of 1912 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\takeown.exe
PID 476 wrote to memory of 1912 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\takeown.exe
PID 476 wrote to memory of 1912 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\takeown.exe
PID 476 wrote to memory of 2032 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\icacls.exe
PID 476 wrote to memory of 2032 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\icacls.exe
PID 476 wrote to memory of 2032 N/A C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe

"C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe"

C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp" /SL5="$30148,2514860,230912,C:\Users\Admin\AppData\Local\Temp\SFMC-1.0.15.5-Setup-Full.exe"

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\System32\taskkill.exe" /IM MCThemerUI.exe /f

C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe

"C:\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe"

C:\Windows\System32\takeown.exe

"C:\Windows\System32\takeown.exe" /f "C:\Windows\ehome" /r /d y

C:\Windows\System32\icacls.exe

"C:\Windows\System32\icacls.exe" "C:\Windows\ehome" /grant BUILTIN\Administrators:F /t

Network

N/A

Files

memory/2332-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2332-0-0x0000000000400000-0x000000000043F000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-OQSG7.tmp\SFMC-1.0.15.5-Setup-Full.tmp

MD5 89ae994d144376496da7226c96874451
SHA1 8f4cd0fe90b8017e2984d918ceef5fdead9ce308
SHA256 770047e65bf5ee822edaff53beb019a2bd521a4cd32aab73264e6b5ca75965bb
SHA512 013ec11f2f6bdf7db36d1ed1c942a2a8c8c94b8da6547518ca2be594da416cbe9f24ccfd0092551b70b8fac1baf90c04e6d42d921d7c7ff16e7c2b31d5692ede

memory/2540-14-0x0000000000400000-0x00000000004E7000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KB874.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2332-15-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2540-17-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2540-19-0x0000000000400000-0x00000000004E7000-memory.dmp

\Program Files (x86)\System Functions Software\Media Center Themer\MCThemerUI.exe

MD5 a783a35a0314f652592d2eaeaaad96a6
SHA1 34a11a795258aa685a5a8ecd1c9ce1c5f05ee68b
SHA256 6dcf16a0dc6f5540dc71a47df2096750ef998d14be52800f790f8563804e7cad
SHA512 c25368066045466a2952c8d2876eb6e67eb0a9821f9fddd7959a2ff51dc9e0dc02770e28a3afa44493fd56d51d3d9d00a2f1a986911f3a776b232222c12be1c3

\Program Files (x86)\System Functions Software\Media Center Themer\unins000.exe

MD5 bbd08bc03eaa9e351c4a996296d56cbd
SHA1 ef26352f0982cfe7a1028d298aa7588239b1b879
SHA256 f595c5736014eef5c5ce6e9eae682a8549c717b2b845404dae8b66ca81973175
SHA512 c73b0cdbe6a6deae1a35909df76aa68f964a5b8bc5dc812034a14475ca0a3003e30828b1c9de45734e92ee9a5704d8ddde783cf8a1e9e664397e3ebce0cd1f92

memory/476-45-0x0000000000BA0000-0x0000000000E0E000-memory.dmp

memory/2540-49-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2332-50-0x0000000000400000-0x000000000043F000-memory.dmp

memory/476-54-0x000000001F330000-0x000000001F340000-memory.dmp