Malware Analysis Report

2024-11-13 18:04

Sample ID 241109-nl5gfstdkq
Target a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN
SHA256 a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc
Tags
floxif adware backdoor defense_evasion discovery exploit persistence privilege_escalation stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc

Threat Level: Known bad

The file a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN was found to be: Known bad.

Malicious Activity Summary

floxif adware backdoor defense_evasion discovery exploit persistence privilege_escalation stealer trojan upx

Floxif, Floodfix

Floxif family

Detects Floxif payload

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Modifies system executable filetype association

Executes dropped EXE

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Modifies file permissions

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Adds Run key to start application

Indicator Removal: File Deletion

Installs/modifies Browser Helper Object

Enumerates connected drives

Checks installed software on the system

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

UPX packed file

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Runs .reg file with regedit

Modifies Shortcut Icons

Modifies File Icons

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:30

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:30

Reported

2024-11-09 11:30

Platform

win7-20240903-en

Max time kernel

12s

Max time network

13s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\WinRAR\uninstall.exe N/A
N/A N/A C:\Program Files (x86)\WinRAR\uninstall.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg" C:\Windows\SysWOW64\reg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ko-KR\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\install.log C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\user32.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\winver.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\user32.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\systemcpl.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\sppcomapi.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\ko-KR\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\sppcomapi.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\winver.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\systemcpl.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WinRAR\Formats\z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Default_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\rarnew.dat C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinRAR.chm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\7z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\tar.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Zip.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\gz.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\cab.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\uue.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\rarreg.key C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File created C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_259480441 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WhatsNew.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\TechNote.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\UnrarSrc.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\ace.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\iso.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\iso.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WhatsNew.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\ace.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\7zxa.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExt64.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Zip.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Zip_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarFiles.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Uninstall.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\7zxa.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\lzh.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\tar.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\7z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\bz2.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\bz2.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\zipnew.dat C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File created C:\Program Files (x86)\WinRAR\File_Id.diz C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\UnRAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\gz.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExtLoader.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarFiles.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarExtLoader.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\License.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinRAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IEMaximizer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\GD.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\N7\GD.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\N7\BD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\rescache\ResCache.mni C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\wip\Segment1.cmf C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\wip\ResCache.dir C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\N7\TD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\N7\TD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\AD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\BD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\wip\Segment0.cmf C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\wip\Segment0.toc C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\wip\Segment1.toc C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\REGISTER.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\REGISTER.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\IEMaximizer.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\N7\AD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\wip\ResCache.hit C:\Windows\SysWOW64\mcbuilder.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mcbuilder.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Windows\SysWOW64\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A

Modifies Shortcut Icons

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196" C:\Windows\SysWOW64\reg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\SysWOW64\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\CLSID\ = "{1AA53EE6-3170-4D34-A020-B6443A53A257}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\0\win32\ = "C:\\Windows\\IEMaximizer.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\ = "FlashBroker" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\ = "IEMaximizerObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\ = "IEMaximizer 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command C:\Program Files (x86)\WinRAR\uninstall.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\mcbuilder.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\mcbuilder.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\mcbuilder.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1372 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 1696 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 1372 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 2208 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1372 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe

"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s

C:\Program Files (x86)\WinRAR\uninstall.exe

"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /S /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c rd /S /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 IEMaximizer.dll /s

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Starter"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "HomeBasic"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "HomePremium"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Professional"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Ultimate"

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ACRSYS

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I DSGLTD

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ALWARE

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I BENQ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I DELL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ASUS

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FOUNDR

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FSC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FUJ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I HPQ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I LENOVO

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I MEDION

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I MSI

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I NOKIA

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I SECCSD

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I Sony

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSASU

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSCPL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSINV

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSQCI

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I AVERATEC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I JOOYON

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I LG

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I NEC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I SHARP

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TCL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I HASEE

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I GBT

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I haier

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I QUANMX

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I THTFPC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TRIGEM

C:\Windows\SysWOW64\cscript.exe

cscript C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /y

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /m

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /d

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\AD.cmd

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\AD.cmd /deny everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\BD.cmd

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\BD.cmd /deny everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\GD.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\GD.exe /deny everyone:f

C:\Windows\SysWOW64\sc.exe

sc config sppsvc start= demand

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f

C:\Windows\SysWOW64\netsh.exe

C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted

C:\Windows\SysWOW64\regedit.exe

regedit /s data\Option\Prefetch1.reg

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\Temp /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\Temp /t /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\slmgr.vbs

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\slmgr.vbs /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\systemcpl.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\systemcpl.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\sppcomapi.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winver.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\winver.exe /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\user32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\user32.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"

C:\Windows\SysWOW64\regedit.exe

regedit /s data\Shortcut\MuiCache.reg

C:\Windows\SysWOW64\mcbuilder.exe

C:\Windows\System32\mcbuilder.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"

C:\Windows\SysWOW64\shutdown.exe

SHUTDOWN -R -F -T 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 198.58.118.167:80 www.aieov.com tcp

Files

C:\Windows\IEMaximizer.dll

MD5 8bda56f78a481b0b82cbee68b0e21e6b
SHA1 738c4cac60703a918b7be5f3024b93662f2803e1
SHA256 98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9
SHA512 8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1

C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\NSISArray.dll

MD5 2b8574f6a8f5de9042baa43c069d20ba
SHA1 07959da0c6b7715b51f70f1b0aea1f56ba7a4559
SHA256 38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564
SHA512 f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\fpinstall.dll

MD5 071b6233c92f69ffa1c24243328c3b94
SHA1 bb583c00e87cdc65e6254c7148d37afc1bbb3095
SHA256 5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43
SHA512 7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

\Users\Admin\AppData\Local\Temp\nso5C74.tmp\System.dll

MD5 16ae54e23736352739d7ab156b1965ba
SHA1 14f8f04bed2d6adc07565d5c064f6931b128568f
SHA256 c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA512 15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx

MD5 3e5c5ed3eaec55aba27f68440360ae05
SHA1 af372129cd7e6fa3b99cd5b6ebfba034afc8de65
SHA256 57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45
SHA512 5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361

\Users\Admin\AppData\Local\Temp\nso5C74.tmp\UserInfo.dll

MD5 68d73a95c628836b67ea5a717d74b38c
SHA1 935372db4a66f9dfd6c938724197787688e141b0
SHA256 21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226
SHA512 0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key

MD5 a508f08707b56a83b2e17c88694cf9f6
SHA1 eb767de79732e94769d146ddd70dbd94db390ab5
SHA256 510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a
SHA512 45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e

C:\Program Files (x86)\WinRAR\WinRAR.exe

MD5 31ae4919723e41ae26a0ca390489c508
SHA1 c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92
SHA256 68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096
SHA512 bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96

C:\Program Files (x86)\WinRAR\Rar.txt

MD5 e8ec8d1e5f0e78752a8b82822bb75f76
SHA1 eae3513a3e56e8b99761a0cd44c1f9828e2da293
SHA256 7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643
SHA512 d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8

C:\Program Files (x86)\WinRAR\WinRAR.chm

MD5 66a2ed9fa095a68fdbed52151d096bbf
SHA1 49d8a6375078deb929070643dd205b276a77d82c
SHA256 bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da
SHA512 3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

MD5 128ada8119b4f860e1aca1891e8abde2
SHA1 f4ec0e95099e354fd01cd3bb27c202f54932dc70
SHA256 016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3
SHA512 33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp

MD5 ef8134a6f610d7e24dd5809a6d42b63b
SHA1 b88f9b6db5aae9961df8033991bc0e2aa83e495b
SHA256 1f486a554f2f8f880c1303fcc75bbdd6dbd5a554ca34f90671ddefb09193f5e3
SHA512 6708c280498048aa60969cc5e2c69f2f4d62c11c9332eec91d16c220b606c2b9a2a9b7aafcf6b691f6c166e54363278c1879eaa172a9e99cf965e7e0cfe14d68

C:\Program Files (x86)\WinRAR\Uninstall.exe

MD5 49799aa663bf45a3c37dd739a5116d81
SHA1 ac088d8134ccbd9d1df3794c16f9778a3d588c56
SHA256 369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632
SHA512 c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6

\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp

MD5 b44b67c02b7d868c804a47e7fe9c2b3a
SHA1 e5c8aa9186124cc0c791652e2cc9ce1fc4a74987
SHA256 bb4797ab80ecda5d4e5101e7de4b5ee9001bb3745a4873e5b43b8759946fce72
SHA512 c682c16dfa8831d989e65ccf0ead74a8a9932f88f2837834757d35f032bcd230bfe6752c004cac6c646395af8fb3a51ea92b0418fb34be93a83da87c8708f1d2

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

MD5 9fd58d13b4543c52685d4f77bebb34c1
SHA1 9b227de95bfbf859abeb22502a447948f2e6f5ac
SHA256 7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712
SHA512 f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg

MD5 63020cbe973fa1ad07d932f7b1ffe54b
SHA1 43e7cef771362ba633c0f8ef569b42dacb3c8f62
SHA256 ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e
SHA512 ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat

MD5 9c671c46f977dd5967c95d110c022c6e
SHA1 42bafcbe214731c82e5199a7a6b918204ae8874e
SHA256 7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0
SHA512 14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui

MD5 f7f931c5ac61c58a794b1cc7b064e095
SHA1 84adfebd384a8c0821188d0c724469835fe7f574
SHA256 a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5
SHA512 819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui

MD5 c6e7e1674fd77fe944dc40ccf5fb8ab3
SHA1 70dfa87edeb19f11a4f8c423a32749c43df580b1
SHA256 9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78
SHA512 fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui

MD5 7e74f142b1aaca35c3c6cf28b6a40b86
SHA1 5fb838b42fd9268f95769a301ea214519f144768
SHA256 3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8
SHA512 c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

memory/2208-4-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2208-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd

MD5 bdad2ade38f1dc5981087777b338e327
SHA1 0699e002c935d9b46df7a35bc8f0ec8b031e1027
SHA256 892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f
SHA512 98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd

MD5 54d60650b4eb2f3ef4e751b08ef7c625
SHA1 9a612c4387eb5ab685f216826ba7d678817291ca
SHA256 6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2
SHA512 e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

MD5 849c3feba650d42a5a7ac46062d59c54
SHA1 a4396db103cd5841915a37a52cc827e90c4c368f
SHA256 623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512
SHA512 a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd

MD5 64f19535d32b3df27bd0e4c8988eb90c
SHA1 79671f917cd93f5d44d5d63458474c433e279648
SHA256 bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee
SHA512 041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c

C:\Windows\N7\BD.cmd

MD5 daefed22cbba32c7ee5937807699b553
SHA1 20c33b1a6cbd66db296cbda2d296506a8817c192
SHA256 7cbce31ecc67b6aec0bfaabeaca9bd0575a3094dc189907154729b144cc265b6
SHA512 0b422520b03530ffe189a010e6f6361765dbfcfc30ba35faf59afec5a2b32badf08fbb827bea5d124c541da9dfc8fb5dbf9869fde22b92dec8cddda5088e61a8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml

MD5 4999ae501e729ed8c34a0f6984b8b83a
SHA1 336f033bce30edcff75a696252ffcc19f368ba5f
SHA256 476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3
SHA512 e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml

MD5 01027180a6a26c5a2e3bf551f1dc7c44
SHA1 9b01c13025713a3fb00467e3d0176c742240c4f0
SHA256 b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6
SHA512 bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml

MD5 a293dbb2f8d2b1cf104cc5069bdc72e0
SHA1 42ef5370901fbac970633f44d11312670a2b4781
SHA256 a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99
SHA512 9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml

MD5 a34211b7e172d80ac6db1d1ab87fbb6d
SHA1 a7979e0a0d2122430081c4a06d73526095b54580
SHA256 bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689
SHA512 d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg

MD5 f2e7e95075c04b3bec89118952aeacf9
SHA1 669fcdbe70dced5524c91b631d7241b9ec0e1d8d
SHA256 a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165
SHA512 a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56

memory/2208-380-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\slmgr.vbs

MD5 574e64a8373ee84bef032e205725527e
SHA1 4e3f5b2f3330f3735cd019f764ef856f5208ac13
SHA256 f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a
SHA512 dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll

MD5 911eb55f9f74a6383983e0a6a8a2772d
SHA1 5f40c2e1ff4e6a544ed160b355b6673925d66741
SHA256 3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079
SHA512 0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll

MD5 69d9d1785ec1f5032538f2696210e2e2
SHA1 7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00
SHA256 444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145
SHA512 82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE

MD5 7941f0c4bd4004269b268e66752dac9b
SHA1 6accf1d9b5981eb12a22c530c3d37be9ca54c415
SHA256 06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2
SHA512 c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll

MD5 e573bd9ab55c8e333c202b9e255f972e
SHA1 460bde795885134b48465dc73797db695af33e1f
SHA256 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e
SHA512 bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\shell32.dll.mui

MD5 1ffdf30fd8c8a747fd9add1497530072
SHA1 63954a4f3703a07e126a4dc345ac6ea1ac090d77
SHA256 7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208
SHA512 99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\shell32.dll.mui

MD5 6bbc2ca29605dc83bd8f86eee2a98539
SHA1 1e0c4b316426be15c289c1a9e486e9b3e3095f0e
SHA256 e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f
SHA512 9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\Display.dll.mui

MD5 827d5f1094f6fb7ac4252dbeb193e9e9
SHA1 10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3
SHA256 a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff
SHA512 717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0

memory/1732-431-0x00000000770F0000-0x00000000771F0000-memory.dmp

memory/2208-435-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS

MD5 172c78e78366f8dcbe4c4a5546bad60b
SHA1 67022b142bd1a0248206d1d10da3d51f88b4e1ef
SHA256 4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664
SHA512 4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4

memory/2208-473-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2208-474-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 11:30

Reported

2024-11-09 11:30

Platform

win10v2004-20241007-en

Max time kernel

9s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"

Signatures

Floxif family

floxif

Floxif, Floodfix

backdoor trojan floxif

Detects Floxif payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg" C:\Windows\SysWOW64\reg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\ko-KR\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\ko-KR\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\systemcpl.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\winver.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\user32.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\user32.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\Macromed\Flash\install.log C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File opened for modification C:\Windows\SysWOW64\systemcpl.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\sppcomapi.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\winver.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\ko-KR\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
File created C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\sppcomapi.dll C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WinRAR\File_Id.diz C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinRAR.chm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\UnRAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\7zxa.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\iso.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Default.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinRAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinRAR.chm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\arj.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\tar.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\UnRAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\bz2.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\gz.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\tar.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Order.htm C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\rarnew.dat C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarExt64.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinCon.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\File_Id.diz C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\License.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarFiles.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files\Common Files\System\symsrv.dll C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\gz.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\uue.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Zip_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\rarreg.key C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\rarreg.key C:\Program Files (x86)\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RAR.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExtLoader.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\7z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\ace.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created \??\c:\program files\common files\system\symsrv.dll.000 C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\lzh.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Default_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_240622546 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\TechNote.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\ace.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\bz2.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Formats\z.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Default_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Descript.ion C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Uninstall.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\Uninstall.lst C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\RarExt64.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\TechNote.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarExtLoader.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File opened for modification C:\Program Files (x86)\WinRAR\RarExt.dll C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Rar.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\Formats\cab.fmt C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A
File created C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\IEMaximizer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\1102129660\345889209.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1008669510\1734134314.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File opened for modification C:\Windows\N7\BD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\242531539\609458986.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\2285375612\822456485.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2879188601\1382411678.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3983011459\1580804228.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2360802049\1299715264.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File opened for modification C:\Windows\REGISTER.reg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\AD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\GD.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\1910676589\260453855.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2229298842\2338367480.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2263554406\1489458240.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\899128513\278537531.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\431186354\664160052.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\64831148\1708141201.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File opened for modification C:\Windows\N7\TD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\92721896\1006516967.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3252231599\1102529190.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File opened for modification C:\Windows\N7\GD.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\N7\BD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\3214612860\191226432.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2782477206\3183301228.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3200614358\91508946.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\2530935351\2043112024.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1691975690\289124040.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3977956527\660711251.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2965031256\2186393681.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1712550052\1566146761.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3479232320\10984804.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File opened for modification C:\Windows\N7\AD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\3937681233\2629454849.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3246022523\1026222830.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1045417640\1970411053.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\N7\TD.cmd C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\2939201637\2780454293.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\4245263321\972629028.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\REGISTER.reg C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\1936697710\3765975002.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3970336390\2852777008.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3628602599\4114135626.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2137598169\2220136654.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1945310375\2859827603.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1649057605\2370279289.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\1902349548\2095009400.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\IEMaximizer.dll C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\rescache\_merged\205257784\1090160821.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\3031988681\2910786296.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2899339121\3421633766.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2928961003\3648374783.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\4278325366\997494378.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\2181205234\223941317.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\942976607\1045346277.pri C:\Windows\SysWOW64\mcbuilder.exe N/A
File created C:\Windows\rescache\_merged\482193516\3536622724.pri C:\Windows\SysWOW64\mcbuilder.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies File Icons

ransomware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons C:\Windows\SysWOW64\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A

Modifies Shortcut Icons

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196" C:\Windows\SysWOW64\reg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR32 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\ = "IEMaximizer 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files (x86)\\WinRAR\\WinRAR.exe\" \"%1\"" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR ?? ??" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r27 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\ = "FlashBroker" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\ = "IEMaximizerObj Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ = "IFlashBroker3" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\rarnew.dat" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR C:\Program Files (x86)\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files (x86)\WinRAR\uninstall.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\mcbuilder.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 4520 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 408 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 408 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
PID 4588 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 4588 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 4588 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe C:\Program Files (x86)\WinRAR\uninstall.exe
PID 408 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 408 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 408 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
PID 408 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 408 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 408 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 408 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 3348 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
PID 408 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 408 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 408 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe

"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s

C:\Program Files (x86)\WinRAR\uninstall.exe

"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 IEMaximizer.dll /s

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Starter"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "HomeBasic"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "HomePremium"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Professional"

C:\Windows\SysWOW64\reg.exe

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I "Ultimate"

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ACRSYS

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I DSGLTD

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ALWARE

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I BENQ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I DELL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I ASUS

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FOUNDR

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FSC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I FUJ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I HPQ

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I LENOVO

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I MEDION

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I MSI

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I NOKIA

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I SECCSD

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I Sony

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSASU

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSCPL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSINV

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TOSQCI

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I AVERATEC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I JOOYON

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I LG

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I NEC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I SHARP

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TCL

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I HASEE

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I GBT

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I haier

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I QUANMX

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I THTFPC

C:\Windows\SysWOW64\reg.exe

REG QUERY HKLM\HARDWARE\ACPI\RSDT

C:\Windows\SysWOW64\findstr.exe

FINDSTR /I TRIGEM

C:\Windows\SysWOW64\cscript.exe

cscript C:\Windows\System32\slmgr.vbs -ipk

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /y

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /m

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

data\N7\Tasks\GD.exe /d

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\AD.cmd

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\AD.cmd /deny everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\BD.cmd

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\BD.cmd /deny everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\N7\GD.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\N7\GD.exe /deny everyone:f

C:\Windows\SysWOW64\sc.exe

sc config sppsvc start= demand

C:\Windows\SysWOW64\schtasks.exe

schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f

C:\Windows\SysWOW64\netsh.exe

C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted

C:\Windows\SysWOW64\regedit.exe

regedit /s data\Option\Prefetch1.reg

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\Temp /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\Temp /t /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\slmgr.vbs

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\slmgr.vbs /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\systemcpl.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\systemcpl.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\sppcomapi.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winver.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\winver.exe /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\user32.dll

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\user32.dll /grant everyone:f

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"

C:\Windows\SysWOW64\regedit.exe

regedit /s data\Shortcut\MuiCache.reg

C:\Windows\SysWOW64\mcbuilder.exe

C:\Windows\System32\mcbuilder.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"

C:\Windows\SysWOW64\shutdown.exe

SHUTDOWN -R -F -T 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38e2855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 www.aieov.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 45.79.19.196:80 www.aieov.com tcp
US 8.8.8.8:53 196.19.79.45.in-addr.arpa udp
US 8.8.8.8:53 5isohu.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4520-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Common Files\System\symsrv.dll

MD5 7574cf2c64f35161ab1292e2f532aabf
SHA1 14ba3fa927a06224dfe587014299e834def4644f
SHA256 de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA512 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

memory/4520-5-0x0000000010000000-0x0000000010030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui

MD5 7e74f142b1aaca35c3c6cf28b6a40b86
SHA1 5fb838b42fd9268f95769a301ea214519f144768
SHA256 3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8
SHA512 c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui

MD5 f7f931c5ac61c58a794b1cc7b064e095
SHA1 84adfebd384a8c0821188d0c724469835fe7f574
SHA256 a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5
SHA512 819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui

MD5 c6e7e1674fd77fe944dc40ccf5fb8ab3
SHA1 70dfa87edeb19f11a4f8c423a32749c43df580b1
SHA256 9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78
SHA512 fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat

MD5 9c671c46f977dd5967c95d110c022c6e
SHA1 42bafcbe214731c82e5199a7a6b918204ae8874e
SHA256 7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0
SHA512 14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg

MD5 63020cbe973fa1ad07d932f7b1ffe54b
SHA1 43e7cef771362ba633c0f8ef569b42dacb3c8f62
SHA256 ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e
SHA512 ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\IEMaximizer.dll

MD5 8bda56f78a481b0b82cbee68b0e21e6b
SHA1 738c4cac60703a918b7be5f3024b93662f2803e1
SHA256 98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9
SHA512 8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe

MD5 9fd58d13b4543c52685d4f77bebb34c1
SHA1 9b227de95bfbf859abeb22502a447948f2e6f5ac
SHA256 7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712
SHA512 f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e

C:\Program Files (x86)\WinRAR\Uninstall.exe

MD5 49799aa663bf45a3c37dd739a5116d81
SHA1 ac088d8134ccbd9d1df3794c16f9778a3d588c56
SHA256 369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632
SHA512 c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe

MD5 128ada8119b4f860e1aca1891e8abde2
SHA1 f4ec0e95099e354fd01cd3bb27c202f54932dc70
SHA256 016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3
SHA512 33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f

C:\Program Files (x86)\WinRAR\Rar.txt

MD5 e8ec8d1e5f0e78752a8b82822bb75f76
SHA1 eae3513a3e56e8b99761a0cd44c1f9828e2da293
SHA256 7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643
SHA512 d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8

C:\Program Files (x86)\WinRAR\WinRAR.chm

MD5 66a2ed9fa095a68fdbed52151d096bbf
SHA1 49d8a6375078deb929070643dd205b276a77d82c
SHA256 bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da
SHA512 3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63

C:\Program Files (x86)\WinRAR\WinRAR.exe

MD5 31ae4919723e41ae26a0ca390489c508
SHA1 c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92
SHA256 68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096
SHA512 bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key

MD5 a508f08707b56a83b2e17c88694cf9f6
SHA1 eb767de79732e94769d146ddd70dbd94db390ab5
SHA256 510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a
SHA512 45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e

C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\System.dll

MD5 16ae54e23736352739d7ab156b1965ba
SHA1 14f8f04bed2d6adc07565d5c064f6931b128568f
SHA256 c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc
SHA512 15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\UserInfo.dll

MD5 68d73a95c628836b67ea5a717d74b38c
SHA1 935372db4a66f9dfd6c938724197787688e141b0
SHA256 21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226
SHA512 0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\fpinstall.dll

MD5 071b6233c92f69ffa1c24243328c3b94
SHA1 bb583c00e87cdc65e6254c7148d37afc1bbb3095
SHA256 5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43
SHA512 7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\NSISArray.dll

MD5 2b8574f6a8f5de9042baa43c069d20ba
SHA1 07959da0c6b7715b51f70f1b0aea1f56ba7a4559
SHA256 38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564
SHA512 f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx

MD5 3e5c5ed3eaec55aba27f68440360ae05
SHA1 af372129cd7e6fa3b99cd5b6ebfba034afc8de65
SHA256 57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45
SHA512 5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd

MD5 bdad2ade38f1dc5981087777b338e327
SHA1 0699e002c935d9b46df7a35bc8f0ec8b031e1027
SHA256 892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f
SHA512 98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd

MD5 54d60650b4eb2f3ef4e751b08ef7c625
SHA1 9a612c4387eb5ab685f216826ba7d678817291ca
SHA256 6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2
SHA512 e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe

MD5 849c3feba650d42a5a7ac46062d59c54
SHA1 a4396db103cd5841915a37a52cc827e90c4c368f
SHA256 623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512
SHA512 a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd

MD5 64f19535d32b3df27bd0e4c8988eb90c
SHA1 79671f917cd93f5d44d5d63458474c433e279648
SHA256 bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee
SHA512 041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c

C:\Windows\N7\BD.cmd

MD5 daefed22cbba32c7ee5937807699b553
SHA1 20c33b1a6cbd66db296cbda2d296506a8817c192
SHA256 7cbce31ecc67b6aec0bfaabeaca9bd0575a3094dc189907154729b144cc265b6
SHA512 0b422520b03530ffe189a010e6f6361765dbfcfc30ba35faf59afec5a2b32badf08fbb827bea5d124c541da9dfc8fb5dbf9869fde22b92dec8cddda5088e61a8

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml

MD5 4999ae501e729ed8c34a0f6984b8b83a
SHA1 336f033bce30edcff75a696252ffcc19f368ba5f
SHA256 476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3
SHA512 e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml

MD5 01027180a6a26c5a2e3bf551f1dc7c44
SHA1 9b01c13025713a3fb00467e3d0176c742240c4f0
SHA256 b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6
SHA512 bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml

MD5 a293dbb2f8d2b1cf104cc5069bdc72e0
SHA1 42ef5370901fbac970633f44d11312670a2b4781
SHA256 a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99
SHA512 9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml

MD5 a34211b7e172d80ac6db1d1ab87fbb6d
SHA1 a7979e0a0d2122430081c4a06d73526095b54580
SHA256 bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689
SHA512 d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg

MD5 f2e7e95075c04b3bec89118952aeacf9
SHA1 669fcdbe70dced5524c91b631d7241b9ec0e1d8d
SHA256 a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165
SHA512 a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56

C:\Windows\SysWOW64\slmgr.vbs

MD5 574e64a8373ee84bef032e205725527e
SHA1 4e3f5b2f3330f3735cd019f764ef856f5208ac13
SHA256 f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a
SHA512 dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll

MD5 911eb55f9f74a6383983e0a6a8a2772d
SHA1 5f40c2e1ff4e6a544ed160b355b6673925d66741
SHA256 3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079
SHA512 0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll

MD5 69d9d1785ec1f5032538f2696210e2e2
SHA1 7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00
SHA256 444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145
SHA512 82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE

MD5 7941f0c4bd4004269b268e66752dac9b
SHA1 6accf1d9b5981eb12a22c530c3d37be9ca54c415
SHA256 06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2
SHA512 c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll

MD5 e573bd9ab55c8e333c202b9e255f972e
SHA1 460bde795885134b48465dc73797db695af33e1f
SHA256 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e
SHA512 bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf

C:\Windows\SysWOW64\ko-KR\shell32.dll.mui

MD5 0ea010da48315b44d3befceca3ddda0f
SHA1 19bd13e64a03f0d4ab0b90a266cb25b40ebc580c
SHA256 3cf494e14bee4d4370db50d3700a8b338c4b78e6001a3beb395c817bb9910fc7
SHA512 fc5ea974c78ae45def1388a7098e4167d55c924ec91211b568677a312d22786c12fee19e6bf2ca529934db378773397510f0a2710c76f4b9c659c5f231fdb2ec

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\shell32.dll.mui

MD5 1ffdf30fd8c8a747fd9add1497530072
SHA1 63954a4f3703a07e126a4dc345ac6ea1ac090d77
SHA256 7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208
SHA512 99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961

C:\Windows\SysWOW64\ko-KR\shell32.dll.mui

MD5 6bbc2ca29605dc83bd8f86eee2a98539
SHA1 1e0c4b316426be15c289c1a9e486e9b3e3095f0e
SHA256 e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f
SHA512 9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\MuiCache.reg

MD5 91bd16ffa806694171e89ce6bf40ce5f
SHA1 4d776c6e5b565a2002f8559f77b5320fa8420b72
SHA256 06b91106a4169ee981a38915e694b6409f7c8cf11fef3ee845d218c32d71e509
SHA512 c9ed43ad2d7b0c7373fab8f14bf3a50b8541d730598cda4ef6af36724ed6a65ae2e5a81567de196f30f90b073a48ac61b3fc72ca14908f63a45092f33e48e61d

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui

MD5 827d5f1094f6fb7ac4252dbeb193e9e9
SHA1 10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3
SHA256 a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff
SHA512 717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0

C:\Windows\Temp\17329.tmp

MD5 5870ea0d6ba8dd6e2008466bdd00e0f4
SHA1 d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5
SHA256 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d
SHA512 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS

MD5 172c78e78366f8dcbe4c4a5546bad60b
SHA1 67022b142bd1a0248206d1d10da3d51f88b4e1ef
SHA256 4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664
SHA512 4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x86\System32\ko-KR\shell32.dll.mui

MD5 388ab00bc5a69f77f6ed8d1fd8ace855
SHA1 549b86c3087e98c13cb7cf4b7e718c6fbb8e92cb
SHA256 beeb3badd1b569dbcf601d5cd02527c8a57ede2c5a9f6d42e1a6d02f8cb1c12e
SHA512 bf3319ffd33c6a6483351496382792129f5f23acaf55a9a380b056860913a2eb5957e4f9dd842972e0d15e0e18f6846ac0618df71362ac501036ad0c7dd6cec0

memory/4520-597-0x0000000010000000-0x0000000010030000-memory.dmp

memory/4520-596-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4520-594-0x0000000076830000-0x00000000769D0000-memory.dmp