Analysis Overview
SHA256
a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bc
Threat Level: Known bad
The file a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN was found to be: Known bad.
Malicious Activity Summary
Floxif, Floodfix
Floxif family
Detects Floxif payload
Boot or Logon Autostart Execution: Active Setup
Possible privilege escalation attempt
Modifies system executable filetype association
Executes dropped EXE
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
Modifies file permissions
Event Triggered Execution: Component Object Model Hijacking
Loads dropped DLL
Adds Run key to start application
Indicator Removal: File Deletion
Installs/modifies Browser Helper Object
Enumerates connected drives
Checks installed software on the system
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
UPX packed file
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
NSIS installer
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Runs .reg file with regedit
Modifies Shortcut Icons
Modifies File Icons
Scheduled Task/Job: Scheduled Task
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 11:30
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 11:30
Reported
2024-11-09 11:30
Platform
win7-20240903-en
Max time kernel
12s
Max time network
13s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
Possible privilege escalation attempt
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
Loads dropped DLL
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Indicator Removal: File Deletion
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ko-KR\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\install.log | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\user32.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winver.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\user32.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\systemcpl.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\sppcomapi.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sppcomapi.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\winver.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\systemcpl.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Default_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\rarnew.dat | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\7z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Zip.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\gz.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\cab.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\uue.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\rarreg.key | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_259480441 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WhatsNew.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Default.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\TechNote.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\UnrarSrc.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExt.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\iso.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\iso.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WhatsNew.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\7zxa.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExt64.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Zip.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Zip_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\7zxa.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\lzh.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarExt.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\7z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\bz2.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\bz2.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\zipnew.dat | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\File_Id.diz | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\gz.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Default.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExtLoader.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarExtLoader.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\License.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IEMaximizer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\GD.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\N7\GD.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\N7\BD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\rescache\ResCache.mni | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\wip\Segment1.cmf | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\wip\ResCache.dir | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\N7\TD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\N7\TD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\AD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\BD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\wip\Segment0.cmf | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\wip\Segment0.toc | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\wip\Segment1.toc | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\REGISTER.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\REGISTER.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\IEMaximizer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\N7\AD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\wip\ResCache.hit | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
Modifies Shortcut Icons
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\SysWOW64\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r03 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.arj | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\CLSID\ = "{1AA53EE6-3170-4D34-A020-B6443A53A257}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.7z | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\TypeLib\ = "{DC12326E-E897-4E2E-A51C-25F07F8A57BE}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\0\win32\ = "C:\\Windows\\IEMaximizer.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uue | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\ = "FlashBroker" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEMaximizer.IEMaximizerObj.1\ = "IEMaximizerObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\ = "IEMaximizer 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
Modifies registry key
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s
C:\Program Files (x86)\WinRAR\uninstall.exe
"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /S /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /S /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 IEMaximizer.dll /s
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Starter"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "HomeBasic"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "HomePremium"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Professional"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Ultimate"
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ACRSYS
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I DSGLTD
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ALWARE
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I BENQ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I DELL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ASUS
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FOUNDR
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FSC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FUJ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I HPQ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I LENOVO
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I MEDION
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I MSI
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I NOKIA
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I SECCSD
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I Sony
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSASU
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSCPL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSINV
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSQCI
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I AVERATEC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I JOOYON
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I LG
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I NEC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I SHARP
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TCL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I HASEE
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I GBT
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I haier
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I QUANMX
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I THTFPC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TRIGEM
C:\Windows\SysWOW64\cscript.exe
cscript C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /y
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /m
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /d
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\AD.cmd
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\AD.cmd /deny everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\BD.cmd
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\BD.cmd /deny everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\GD.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\GD.exe /deny everyone:f
C:\Windows\SysWOW64\sc.exe
sc config sppsvc start= demand
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f
C:\Windows\SysWOW64\netsh.exe
C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted
C:\Windows\SysWOW64\regedit.exe
regedit /s data\Option\Prefetch1.reg
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\Temp /r /d y
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Temp /t /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\slmgr.vbs
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\slmgr.vbs /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\systemcpl.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\systemcpl.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\sppcomapi.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winver.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\winver.exe /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\user32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\user32.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"
C:\Windows\SysWOW64\regedit.exe
regedit /s data\Shortcut\MuiCache.reg
C:\Windows\SysWOW64\mcbuilder.exe
C:\Windows\System32\mcbuilder.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"
C:\Windows\SysWOW64\shutdown.exe
SHUTDOWN -R -F -T 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 198.58.118.167:80 | www.aieov.com | tcp |
Files
C:\Windows\IEMaximizer.dll
| MD5 | 8bda56f78a481b0b82cbee68b0e21e6b |
| SHA1 | 738c4cac60703a918b7be5f3024b93662f2803e1 |
| SHA256 | 98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9 |
| SHA512 | 8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1 |
C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\NSISArray.dll
| MD5 | 2b8574f6a8f5de9042baa43c069d20ba |
| SHA1 | 07959da0c6b7715b51f70f1b0aea1f56ba7a4559 |
| SHA256 | 38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564 |
| SHA512 | f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88 |
C:\Users\Admin\AppData\Local\Temp\nso5C74.tmp\fpinstall.dll
| MD5 | 071b6233c92f69ffa1c24243328c3b94 |
| SHA1 | bb583c00e87cdc65e6254c7148d37afc1bbb3095 |
| SHA256 | 5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43 |
| SHA512 | 7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1 |
\Users\Admin\AppData\Local\Temp\nso5C74.tmp\System.dll
| MD5 | 16ae54e23736352739d7ab156b1965ba |
| SHA1 | 14f8f04bed2d6adc07565d5c064f6931b128568f |
| SHA256 | c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc |
| SHA512 | 15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f |
C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx
| MD5 | 3e5c5ed3eaec55aba27f68440360ae05 |
| SHA1 | af372129cd7e6fa3b99cd5b6ebfba034afc8de65 |
| SHA256 | 57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45 |
| SHA512 | 5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361 |
\Users\Admin\AppData\Local\Temp\nso5C74.tmp\UserInfo.dll
| MD5 | 68d73a95c628836b67ea5a717d74b38c |
| SHA1 | 935372db4a66f9dfd6c938724197787688e141b0 |
| SHA256 | 21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226 |
| SHA512 | 0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key
| MD5 | a508f08707b56a83b2e17c88694cf9f6 |
| SHA1 | eb767de79732e94769d146ddd70dbd94db390ab5 |
| SHA256 | 510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a |
| SHA512 | 45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e |
C:\Program Files (x86)\WinRAR\WinRAR.exe
| MD5 | 31ae4919723e41ae26a0ca390489c508 |
| SHA1 | c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92 |
| SHA256 | 68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096 |
| SHA512 | bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96 |
C:\Program Files (x86)\WinRAR\Rar.txt
| MD5 | e8ec8d1e5f0e78752a8b82822bb75f76 |
| SHA1 | eae3513a3e56e8b99761a0cd44c1f9828e2da293 |
| SHA256 | 7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643 |
| SHA512 | d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8 |
C:\Program Files (x86)\WinRAR\WinRAR.chm
| MD5 | 66a2ed9fa095a68fdbed52151d096bbf |
| SHA1 | 49d8a6375078deb929070643dd205b276a77d82c |
| SHA256 | bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da |
| SHA512 | 3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
| MD5 | 128ada8119b4f860e1aca1891e8abde2 |
| SHA1 | f4ec0e95099e354fd01cd3bb27c202f54932dc70 |
| SHA256 | 016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3 |
| SHA512 | 33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe.tmp
| MD5 | ef8134a6f610d7e24dd5809a6d42b63b |
| SHA1 | b88f9b6db5aae9961df8033991bc0e2aa83e495b |
| SHA256 | 1f486a554f2f8f880c1303fcc75bbdd6dbd5a554ca34f90671ddefb09193f5e3 |
| SHA512 | 6708c280498048aa60969cc5e2c69f2f4d62c11c9332eec91d16c220b606c2b9a2a9b7aafcf6b691f6c166e54363278c1879eaa172a9e99cf965e7e0cfe14d68 |
C:\Program Files (x86)\WinRAR\Uninstall.exe
| MD5 | 49799aa663bf45a3c37dd739a5116d81 |
| SHA1 | ac088d8134ccbd9d1df3794c16f9778a3d588c56 |
| SHA256 | 369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632 |
| SHA512 | c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6 |
\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll.tmp
| MD5 | b44b67c02b7d868c804a47e7fe9c2b3a |
| SHA1 | e5c8aa9186124cc0c791652e2cc9ce1fc4a74987 |
| SHA256 | bb4797ab80ecda5d4e5101e7de4b5ee9001bb3745a4873e5b43b8759946fce72 |
| SHA512 | c682c16dfa8831d989e65ccf0ead74a8a9932f88f2837834757d35f032bcd230bfe6752c004cac6c646395af8fb3a51ea92b0418fb34be93a83da87c8708f1d2 |
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
| MD5 | 9fd58d13b4543c52685d4f77bebb34c1 |
| SHA1 | 9b227de95bfbf859abeb22502a447948f2e6f5ac |
| SHA256 | 7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712 |
| SHA512 | f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg
| MD5 | 63020cbe973fa1ad07d932f7b1ffe54b |
| SHA1 | 43e7cef771362ba633c0f8ef569b42dacb3c8f62 |
| SHA256 | ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e |
| SHA512 | ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat
| MD5 | 9c671c46f977dd5967c95d110c022c6e |
| SHA1 | 42bafcbe214731c82e5199a7a6b918204ae8874e |
| SHA256 | 7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0 |
| SHA512 | 14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
| MD5 | f7f931c5ac61c58a794b1cc7b064e095 |
| SHA1 | 84adfebd384a8c0821188d0c724469835fe7f574 |
| SHA256 | a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5 |
| SHA512 | 819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui
| MD5 | c6e7e1674fd77fe944dc40ccf5fb8ab3 |
| SHA1 | 70dfa87edeb19f11a4f8c423a32749c43df580b1 |
| SHA256 | 9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78 |
| SHA512 | fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui
| MD5 | 7e74f142b1aaca35c3c6cf28b6a40b86 |
| SHA1 | 5fb838b42fd9268f95769a301ea214519f144768 |
| SHA256 | 3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8 |
| SHA512 | c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019 |
memory/2208-4-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2208-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd
| MD5 | bdad2ade38f1dc5981087777b338e327 |
| SHA1 | 0699e002c935d9b46df7a35bc8f0ec8b031e1027 |
| SHA256 | 892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f |
| SHA512 | 98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd
| MD5 | 54d60650b4eb2f3ef4e751b08ef7c625 |
| SHA1 | 9a612c4387eb5ab685f216826ba7d678817291ca |
| SHA256 | 6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2 |
| SHA512 | e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
| MD5 | 849c3feba650d42a5a7ac46062d59c54 |
| SHA1 | a4396db103cd5841915a37a52cc827e90c4c368f |
| SHA256 | 623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512 |
| SHA512 | a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd
| MD5 | 64f19535d32b3df27bd0e4c8988eb90c |
| SHA1 | 79671f917cd93f5d44d5d63458474c433e279648 |
| SHA256 | bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee |
| SHA512 | 041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c |
C:\Windows\N7\BD.cmd
| MD5 | daefed22cbba32c7ee5937807699b553 |
| SHA1 | 20c33b1a6cbd66db296cbda2d296506a8817c192 |
| SHA256 | 7cbce31ecc67b6aec0bfaabeaca9bd0575a3094dc189907154729b144cc265b6 |
| SHA512 | 0b422520b03530ffe189a010e6f6361765dbfcfc30ba35faf59afec5a2b32badf08fbb827bea5d124c541da9dfc8fb5dbf9869fde22b92dec8cddda5088e61a8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml
| MD5 | 4999ae501e729ed8c34a0f6984b8b83a |
| SHA1 | 336f033bce30edcff75a696252ffcc19f368ba5f |
| SHA256 | 476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3 |
| SHA512 | e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml
| MD5 | 01027180a6a26c5a2e3bf551f1dc7c44 |
| SHA1 | 9b01c13025713a3fb00467e3d0176c742240c4f0 |
| SHA256 | b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6 |
| SHA512 | bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml
| MD5 | a293dbb2f8d2b1cf104cc5069bdc72e0 |
| SHA1 | 42ef5370901fbac970633f44d11312670a2b4781 |
| SHA256 | a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99 |
| SHA512 | 9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml
| MD5 | a34211b7e172d80ac6db1d1ab87fbb6d |
| SHA1 | a7979e0a0d2122430081c4a06d73526095b54580 |
| SHA256 | bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689 |
| SHA512 | d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg
| MD5 | f2e7e95075c04b3bec89118952aeacf9 |
| SHA1 | 669fcdbe70dced5524c91b631d7241b9ec0e1d8d |
| SHA256 | a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165 |
| SHA512 | a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56 |
memory/2208-380-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\slmgr.vbs
| MD5 | 574e64a8373ee84bef032e205725527e |
| SHA1 | 4e3f5b2f3330f3735cd019f764ef856f5208ac13 |
| SHA256 | f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a |
| SHA512 | dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll
| MD5 | 911eb55f9f74a6383983e0a6a8a2772d |
| SHA1 | 5f40c2e1ff4e6a544ed160b355b6673925d66741 |
| SHA256 | 3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079 |
| SHA512 | 0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll
| MD5 | 69d9d1785ec1f5032538f2696210e2e2 |
| SHA1 | 7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00 |
| SHA256 | 444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145 |
| SHA512 | 82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE
| MD5 | 7941f0c4bd4004269b268e66752dac9b |
| SHA1 | 6accf1d9b5981eb12a22c530c3d37be9ca54c415 |
| SHA256 | 06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2 |
| SHA512 | c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll
| MD5 | e573bd9ab55c8e333c202b9e255f972e |
| SHA1 | 460bde795885134b48465dc73797db695af33e1f |
| SHA256 | 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e |
| SHA512 | bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\shell32.dll.mui
| MD5 | 1ffdf30fd8c8a747fd9add1497530072 |
| SHA1 | 63954a4f3703a07e126a4dc345ac6ea1ac090d77 |
| SHA256 | 7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208 |
| SHA512 | 99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\shell32.dll.mui
| MD5 | 6bbc2ca29605dc83bd8f86eee2a98539 |
| SHA1 | 1e0c4b316426be15c289c1a9e486e9b3e3095f0e |
| SHA256 | e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f |
| SHA512 | 9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\Display.dll.mui
| MD5 | 827d5f1094f6fb7ac4252dbeb193e9e9 |
| SHA1 | 10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3 |
| SHA256 | a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff |
| SHA512 | 717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0 |
memory/1732-431-0x00000000770F0000-0x00000000771F0000-memory.dmp
memory/2208-435-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS
| MD5 | 172c78e78366f8dcbe4c4a5546bad60b |
| SHA1 | 67022b142bd1a0248206d1d10da3d51f88b4e1ef |
| SHA256 | 4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664 |
| SHA512 | 4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4 |
memory/2208-473-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2208-474-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 11:30
Reported
2024-11-09 11:30
Platform
win10v2004-20241007-en
Max time kernel
9s
Max time network
10s
Command Line
Signatures
Floxif family
Floxif, Floodfix
Detects Floxif payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.42.34" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
Possible privilege escalation attempt
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe | N/A |
Loads dropped DLL
Modifies file permissions
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\001\1 = "REGEDIT /S C:\\Windows\\register.reg" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\e: | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AA53EE6-3170-4D34-A020-B6443A53A257} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\systemcpl.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\winver.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\user32.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\user32.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\ko-KR\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Macromed\Flash\install.log | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\systemcpl.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\sppcomapi.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winver.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ko-KR\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10d.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sppcomapi.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\WinRAR\File_Id.diz | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\7zxa.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\iso.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Default.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Default.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinRAR.chm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\arj.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\UnRAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\bz2.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\gz.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\tar.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Order.htm | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\rarnew.dat | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarExt64.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinCon.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\File_Id.diz | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\License.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarFiles.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files\Common Files\System\symsrv.dll | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\gz.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\uue.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Zip_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\rarreg.key | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\rarreg.key | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RAR.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExtLoader.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\7z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | \??\c:\program files\common files\system\symsrv.dll.000 | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\lzh.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Default_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\__tmp_rar_sfx_access_check_240622546 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\TechNote.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\ace.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\bz2.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\UNACEV2.DLL | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Formats\z.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Default_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Descript.ion | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\Uninstall.lst | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExt.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\RarExt64.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\TechNote.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarExtLoader.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WinRAR\RarExt.dll | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Rar.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\Formats\cab.fmt | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
| File created | C:\Program Files (x86)\WinRAR\WinCon_en-US.SFX | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\IEMaximizer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\1102129660\345889209.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1008669510\1734134314.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File opened for modification | C:\Windows\N7\BD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\242531539\609458986.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\2285375612\822456485.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2879188601\1382411678.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3983011459\1580804228.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2360802049\1299715264.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File opened for modification | C:\Windows\REGISTER.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\AD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\GD.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\1910676589\260453855.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2229298842\2338367480.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2263554406\1489458240.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\899128513\278537531.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\431186354\664160052.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\64831148\1708141201.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File opened for modification | C:\Windows\N7\TD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\92721896\1006516967.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3252231599\1102529190.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File opened for modification | C:\Windows\N7\GD.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\N7\BD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\3214612860\191226432.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2782477206\3183301228.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3200614358\91508946.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4\Display.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\2530935351\2043112024.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1691975690\289124040.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3977956527\660711251.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2965031256\2186393681.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1712550052\1566146761.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3479232320\10984804.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File opened for modification | C:\Windows\N7\AD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\3937681233\2629454849.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3246022523\1026222830.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1045417640\1970411053.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\N7\TD.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\2939201637\2780454293.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\4245263321\972629028.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\REGISTER.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111\shell32.dll.mui | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\1936697710\3765975002.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3970336390\2852777008.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3628602599\4114135626.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2137598169\2220136654.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1945310375\2859827603.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1649057605\2370279289.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\1902349548\2095009400.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\IEMaximizer.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\rescache\_merged\205257784\1090160821.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\3031988681\2910786296.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2899339121\3421633766.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2928961003\3648374783.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\4278325366\997494378.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\2181205234\223941317.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\942976607\1045346277.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| File created | C:\Windows\rescache\_merged\482193516\3536622724.pri | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies File Icons
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10d.exe" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
Modifies Shortcut Icons
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\System32\\imageres.dll,196" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR32 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r06 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR\ = "C:\\Windows" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\ = "IEMaximizer 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDA9221C-1B37-4562-B26A-3DED14C8FDDA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files (x86)\\WinRAR\\WinRAR.exe\" \"%1\"" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{307F64C0-621D-4D56-BBC6-91EFC13CE40D}\TypeLib\Version = "1.1" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r26 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mfp | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.7z | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r13 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR ?? ??" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r27 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\ = "FlashBroker" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\ = "IFlashAccessibility" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AA53EE6-3170-4D34-A020-B6443A53A257}\ = "IEMaximizerObj Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ = "IFlashBroker3" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\MuiCache | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.r20 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files (x86)\\WinRAR\\rarnew.dat" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DC12326E-E897-4E2E-A51C-25F07F8A57BE}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" | C:\Program Files (x86)\WinRAR\uninstall.exe | N/A |
Modifies registry key
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\mcbuilder.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe
"C:\Users\Admin\AppData\Local\Temp\a94fa23474bd3f64442455765bd9249917c259020ee897ada5f948891b99c9bcN.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\001 /V 1 /D "REGEDIT /S C:\Windows\register.reg" /f
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe /s
C:\Program Files (x86)\WinRAR\uninstall.exe
"C:\Program Files (x86)\WinRAR\uninstall.exe" /setup
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe /s
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 IEMaximizer.dll /s
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /d C:\Windows\System32\imageres.dll,196 /f
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Starter"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "HomeBasic"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "HomePremium"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Professional"
C:\Windows\SysWOW64\reg.exe
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID"
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I "Ultimate"
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ACRSYS
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I DSGLTD
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ALWARE
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I BENQ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I DELL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I ASUS
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FOUNDR
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FSC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I FUJ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I HPQ
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I LENOVO
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I MEDION
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I MSI
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I NOKIA
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I SECCSD
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I Sony
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSASU
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSCPL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSINV
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TOSQCI
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I AVERATEC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I JOOYON
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I LG
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I NEC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I SHARP
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TCL
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I HASEE
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I GBT
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I haier
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I QUANMX
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I THTFPC
C:\Windows\SysWOW64\reg.exe
REG QUERY HKLM\HARDWARE\ACPI\RSDT
C:\Windows\SysWOW64\findstr.exe
FINDSTR /I TRIGEM
C:\Windows\SysWOW64\cscript.exe
cscript C:\Windows\System32\slmgr.vbs -ipk
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /y
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /m
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
data\N7\Tasks\GD.exe /d
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\AD.cmd
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\AD.cmd /deny everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\BD.cmd
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\BD.cmd /deny everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\N7\GD.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\N7\GD.exe /deny everyone:f
C:\Windows\SysWOW64\sc.exe
sc config sppsvc start= demand
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask1" /xml data\N7\Tasks\SvcRestartTask1.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask2" /xml data\N7\Tasks\SvcRestartTask2.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask3" /xml data\N7\Tasks\SvcRestartTask3.xml /ru System /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask4" /xml data\N7\Tasks\SvcRestartTask4.xml /ru System /f
C:\Windows\SysWOW64\netsh.exe
C:\Windows\System32\netsh.exe interface tcp set global autotuninglevel=highlyrestricted
C:\Windows\SysWOW64\regedit.exe
regedit /s data\Option\Prefetch1.reg
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\Temp /r /d y
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Temp /t /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\slmgr.vbs
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\slmgr.vbs /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\systemcpl.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\systemcpl.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\sppcomapi.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\sppcomapi.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winver.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\winver.exe /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\user32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\user32.dll /grant everyone:f
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\shell32.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\shell32.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\themecpl.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\themecpl.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\ko-kr\Display.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\SysWOW64\ko-kr\Display.dll.mui"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_2bba41a8e9e5ffdb"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_87d8dd2ca2437111"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\x86_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_6d88dfdedf2ef7a4"
C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da"
C:\Windows\SysWOW64\regedit.exe
regedit /s data\Shortcut\MuiCache.reg
C:\Windows\SysWOW64\mcbuilder.exe
C:\Windows\System32\mcbuilder.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del C:\Windows\Prefetch\*.* 1>nul"
C:\Windows\SysWOW64\shutdown.exe
SHUTDOWN -R -F -T 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e2855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | www.aieov.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 45.79.19.196:80 | www.aieov.com | tcp |
| US | 8.8.8.8:53 | 196.19.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5isohu.com | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/4520-0-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Program Files\Common Files\System\symsrv.dll
| MD5 | 7574cf2c64f35161ab1292e2f532aabf |
| SHA1 | 14ba3fa927a06224dfe587014299e834def4644f |
| SHA256 | de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085 |
| SHA512 | 4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab |
memory/4520-5-0x0000000010000000-0x0000000010030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\SysWOW64\ko-KR\Display.dll.mui
| MD5 | 7e74f142b1aaca35c3c6cf28b6a40b86 |
| SHA1 | 5fb838b42fd9268f95769a301ea214519f144768 |
| SHA256 | 3bb9a3802f2a5aae367d46d39d478f0cd15fd7b1208acbbb7fca5426fdc6aba8 |
| SHA512 | c5f3b19330d8f61a721fe1f94d39477a3ed45406ce9cef92dd599dd860381081ed211fd37b13457c5a8b4ca6db466f22e91a1e72a67f3444804a076a67084019 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\x86_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_60d6493e5ec01332\themecpl.dll.mui
| MD5 | f7f931c5ac61c58a794b1cc7b064e095 |
| SHA1 | 84adfebd384a8c0821188d0c724469835fe7f574 |
| SHA256 | a94c0c8aeef54296a3662a744be2ab6f8c078a216c044aed047ac2555f1f71f5 |
| SHA512 | 819099165a84162bc9f91d5ef9da9c029c0606d4e43e4e29068af021960eb41ff3700358fc29760333c2879cb41a6a95ccb170d6a8638c2449917eca5cba0ca3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_bcf4e4c2171d8468\themecpl.dll.mui
| MD5 | c6e7e1674fd77fe944dc40ccf5fb8ab3 |
| SHA1 | 70dfa87edeb19f11a4f8c423a32749c43df580b1 |
| SHA256 | 9bd7b658137b2320eb25af1fdfd3f439fb57a5893f6d8429bd785ee468e66e78 |
| SHA512 | fd2ce2b54e1fa446461eda5f1c4c93e8de0fe2ea0b76d3f29afaf1fa8d01796ac3e865b5ee526d17b31a42bcab67e5a3b7abd2a1edcaba89e05f9d6f282e7d8e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Install.bat
| MD5 | 9c671c46f977dd5967c95d110c022c6e |
| SHA1 | 42bafcbe214731c82e5199a7a6b918204ae8874e |
| SHA256 | 7088a6d70b9b90638ff569cafcab4f15466f4157e48f59301e266c39fb7981d0 |
| SHA512 | 14080eccef9103323722d7abe4ad2e17920313ca3763be7238bf20cb76b0f55de64638b71dcff9a971b5b5bdbc0f4392bf214f6e1937c857157ea6cb3be33373 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\REGISTER.reg
| MD5 | 63020cbe973fa1ad07d932f7b1ffe54b |
| SHA1 | 43e7cef771362ba633c0f8ef569b42dacb3c8f62 |
| SHA256 | ba66da2025be4dfab3ffd08c4b4b2f5bc0511e9d784a993f4e6b9854a98cce3e |
| SHA512 | ee3c135d7e527f9b877e22fbcae20f667511600a1ffd1b11e40ffac032291ee3180480f407f2232689ceebc5d481759a7fe1804e88a6abdc4b1707775eda9dd8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\IEMaximizer.dll
| MD5 | 8bda56f78a481b0b82cbee68b0e21e6b |
| SHA1 | 738c4cac60703a918b7be5f3024b93662f2803e1 |
| SHA256 | 98d17e31e263dce151255413a73dc8db0d6ba9a3325cc9b243a516caa3b5d7d9 |
| SHA512 | 8b5426b231bedeffb4e9f7c3896fd5cc56299830e6a6d0975d4b7c211cb1bc14ce48619867baec3a707199f5fd175eed6f6331b34a196d93929480ce100bbbe1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\wrar391.exe
| MD5 | 9fd58d13b4543c52685d4f77bebb34c1 |
| SHA1 | 9b227de95bfbf859abeb22502a447948f2e6f5ac |
| SHA256 | 7548334ef0a06989c22003af8a9bfd9a74e8026fa422bbc7dfeddc42d2221712 |
| SHA512 | f580500c0154f606bed5a914ec86ebbe72c0064892c980ee8e9d65b53ea5e37da9523616901c168846aca91f4b7ce4cf5a30bd67406c739939b8bbc9f3ef930e |
C:\Program Files (x86)\WinRAR\Uninstall.exe
| MD5 | 49799aa663bf45a3c37dd739a5116d81 |
| SHA1 | ac088d8134ccbd9d1df3794c16f9778a3d588c56 |
| SHA256 | 369e163608ecc4edec6a476ae5935b16230210de2f637b1eff03565214277632 |
| SHA512 | c525396822b23d4a11866239cdce33aa1c8e5d373f0ccb36a2196e5dcd9a9e5b287caa8aeb542e079b397018a45973c01ab3326a5228d2f607bdbffbd1446cd6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\flash.exe
| MD5 | 128ada8119b4f860e1aca1891e8abde2 |
| SHA1 | f4ec0e95099e354fd01cd3bb27c202f54932dc70 |
| SHA256 | 016b77d19d9fde6f7d5b477eb7008df80c51ff02acb5f950c986e45a0c2a78d3 |
| SHA512 | 33df2213fb8580fa2f377f0f9a5d8c526a0e018998bd64e85a0b3db6aedc5536224b87097e8af75f3845e45ce0032174f08346b154e5de94578cfbfba9c4375f |
C:\Program Files (x86)\WinRAR\Rar.txt
| MD5 | e8ec8d1e5f0e78752a8b82822bb75f76 |
| SHA1 | eae3513a3e56e8b99761a0cd44c1f9828e2da293 |
| SHA256 | 7c1fe0d8f6c802da18aa0f37902c1559a29c5073246e28258eb89f7983aaa643 |
| SHA512 | d7b84eb535762ca6b422e2cab59fcc3c02cd07b03ff432f68212aa5c8eac879567ffcb21ed3aacd655d58d18307f9f343df4013a9fbeb5d168184ddd69089ee8 |
C:\Program Files (x86)\WinRAR\WinRAR.chm
| MD5 | 66a2ed9fa095a68fdbed52151d096bbf |
| SHA1 | 49d8a6375078deb929070643dd205b276a77d82c |
| SHA256 | bd58f7952f7e92ef7ae0367f1ec0090473ab4587e27e83d4856c650325bb71da |
| SHA512 | 3dc4c603ba044c7fcaa5d4187ffa10952771f5694ca114c69057f99d3fdc56b79647d833285083419842822e64329115a26066866fdd814268d6392689c07c63 |
C:\Program Files (x86)\WinRAR\WinRAR.exe
| MD5 | 31ae4919723e41ae26a0ca390489c508 |
| SHA1 | c36b00ad8bc7486a95935c4fb1bb45a70b4e4f92 |
| SHA256 | 68937e03154d4957e7280ad29951047509ddbd0a00210570478270a84cc12096 |
| SHA512 | bd0c5e32159929ba1b0f966fed8a9d96ffed8ad080c359e65c39705025328627682f3d6ba507a5d1b96f9d5ad72ebdd6e68fd0a021cc39d31f9ac6918ab78a96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rarreg.key
| MD5 | a508f08707b56a83b2e17c88694cf9f6 |
| SHA1 | eb767de79732e94769d146ddd70dbd94db390ab5 |
| SHA256 | 510929488b7ef3827fde8860369cd867b2b02d48c7e4bbb86db48eb833bcee4a |
| SHA512 | 45a0b54bbd5281a9e392aa051c5e601e015496da4f4c5aef841e9eb10bbee03dbec88f3d6c901f29f5962fb05cd16efdd7cb19fa6bd99718a6e57cf77b8af83e |
C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\System.dll
| MD5 | 16ae54e23736352739d7ab156b1965ba |
| SHA1 | 14f8f04bed2d6adc07565d5c064f6931b128568f |
| SHA256 | c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc |
| SHA512 | 15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f |
C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\UserInfo.dll
| MD5 | 68d73a95c628836b67ea5a717d74b38c |
| SHA1 | 935372db4a66f9dfd6c938724197787688e141b0 |
| SHA256 | 21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226 |
| SHA512 | 0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914 |
C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\fpinstall.dll
| MD5 | 071b6233c92f69ffa1c24243328c3b94 |
| SHA1 | bb583c00e87cdc65e6254c7148d37afc1bbb3095 |
| SHA256 | 5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43 |
| SHA512 | 7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1 |
C:\Users\Admin\AppData\Local\Temp\nsz9E55.tmp\NSISArray.dll
| MD5 | 2b8574f6a8f5de9042baa43c069d20ba |
| SHA1 | 07959da0c6b7715b51f70f1b0aea1f56ba7a4559 |
| SHA256 | 38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564 |
| SHA512 | f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88 |
C:\Windows\SysWOW64\Macromed\Flash\Flash10d.ocx
| MD5 | 3e5c5ed3eaec55aba27f68440360ae05 |
| SHA1 | af372129cd7e6fa3b99cd5b6ebfba034afc8de65 |
| SHA256 | 57937c093124bd488a449d855076a5bd359ecf9ded8533838833032e7efaca45 |
| SHA512 | 5d484bce66eda05b545a161c82b848403b11801399d6ac3475e504e593d1d3a8eb7107180454f6cf02b1e7092ba506c322a6931c22508ce22d9a24db74603361 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\TD.cmd
| MD5 | bdad2ade38f1dc5981087777b338e327 |
| SHA1 | 0699e002c935d9b46df7a35bc8f0ec8b031e1027 |
| SHA256 | 892d46ea5fd5547fa057fbbc09ef7ea8eca66d513cb80652310d9524b95dfc3f |
| SHA512 | 98c5a1c0f1aa9f5255034a8d34e45a6a913e53f704dc185c7032933b8f9af0eec7bca87b5b806103bc84b62aaebc15f92efccc1c44bcc93a5eb2d3ccc9018d99 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\AD.cmd
| MD5 | 54d60650b4eb2f3ef4e751b08ef7c625 |
| SHA1 | 9a612c4387eb5ab685f216826ba7d678817291ca |
| SHA256 | 6b1b29b19c4b1fde2503aa71f52c46643ad6267d835bbeef4fa2b4178ef50da2 |
| SHA512 | e29c6a939eedbaee591f37b65e4658210eab081b752394deb20856e0f9913f5f437ce479a81ee27aea824c06cfec5b4984bc42d25988d2349ada54ae646129f3 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\GD.exe
| MD5 | 849c3feba650d42a5a7ac46062d59c54 |
| SHA1 | a4396db103cd5841915a37a52cc827e90c4c368f |
| SHA256 | 623adc6fa585a467cfe67ca27629bf1ae2a9056103f3edcc71ca07fd223b8512 |
| SHA512 | a1b6ecfa25d31389dee930fea400ccb7085fbcb52f193d7a8fb768be7ccafe73747a7980caf56de2e1e762f4ef7660fb4659e74dd7288135e77cefa330edaa67 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\BD_Tail.cmd
| MD5 | 64f19535d32b3df27bd0e4c8988eb90c |
| SHA1 | 79671f917cd93f5d44d5d63458474c433e279648 |
| SHA256 | bbe6e8ed9a625ed8364374b92dff3c1dd032177ce797857f851aa081ef1e89ee |
| SHA512 | 041d52db4602d446bcc92ce1380ae76e40e2108fac8fe031a46f4eb6cc654af5bdb4e1d5c48fa74bf83bd58b317e316080d91d2782dc412f1c636785163b761c |
C:\Windows\N7\BD.cmd
| MD5 | daefed22cbba32c7ee5937807699b553 |
| SHA1 | 20c33b1a6cbd66db296cbda2d296506a8817c192 |
| SHA256 | 7cbce31ecc67b6aec0bfaabeaca9bd0575a3094dc189907154729b144cc265b6 |
| SHA512 | 0b422520b03530ffe189a010e6f6361765dbfcfc30ba35faf59afec5a2b32badf08fbb827bea5d124c541da9dfc8fb5dbf9869fde22b92dec8cddda5088e61a8 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask1.xml
| MD5 | 4999ae501e729ed8c34a0f6984b8b83a |
| SHA1 | 336f033bce30edcff75a696252ffcc19f368ba5f |
| SHA256 | 476ca80be8e0921303fabfa69c941c1c3019754f70eb5f2ab0820af6f4e5d4a3 |
| SHA512 | e2060469be064242539c55b6c7dbec22cbdce6d1feaad56ffec3d56b7045fab60df683c06afd54a73c45a5ebe9e1e8b5d1f8e73b897945da941ab3cf08eb8112 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask2.xml
| MD5 | 01027180a6a26c5a2e3bf551f1dc7c44 |
| SHA1 | 9b01c13025713a3fb00467e3d0176c742240c4f0 |
| SHA256 | b2ffd969413c208f1a69812055182506c887c7769794ca686ce68e66a2e87bf6 |
| SHA512 | bba113a44768731ad6e6a64839c07d026e03be14359749850bdd9549b9714f0336d6c27bab0d725913f1cbfdfbec694269d224807066ae68a50e1aa66c522f5d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask3.xml
| MD5 | a293dbb2f8d2b1cf104cc5069bdc72e0 |
| SHA1 | 42ef5370901fbac970633f44d11312670a2b4781 |
| SHA256 | a0ee763e8ca1a446d13a34cc14348c897b90053903fcf4bc415c6c20ecf3ef99 |
| SHA512 | 9331f66eccbefc19b66bd983bf26c830901a9bb5ca33fbeeb821fc36c1722484cf9301e0d732133738b134461c537bd4a350fbf2d4be5ea07bb668cff389b4e1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\Tasks\SvcRestartTask4.xml
| MD5 | a34211b7e172d80ac6db1d1ab87fbb6d |
| SHA1 | a7979e0a0d2122430081c4a06d73526095b54580 |
| SHA256 | bdd78e2045f43717423b66a338b0a5815359c13eedca5a6a70b79c3440682689 |
| SHA512 | d0285a77f7dc2042f49da61ba0d3d336024375d43b0b64bdc3e94ce47ba96b9b415ddcd90da43fd99381a0f3082f6f418e47163b1d683dd062e006eb82c263b4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Option\Prefetch1.reg
| MD5 | f2e7e95075c04b3bec89118952aeacf9 |
| SHA1 | 669fcdbe70dced5524c91b631d7241b9ec0e1d8d |
| SHA256 | a568d9604a56f35a3726636cd33c69ad48f607f55744565ba613addc432f1165 |
| SHA512 | a3121c0ea0afdae0a231df264745f90ae7660107ff24145e87d722a61b8497bdffc45cb9e2f13e4b5c0e96f577ac08b105a57015b14f8cc8575343d341776b56 |
C:\Windows\SysWOW64\slmgr.vbs
| MD5 | 574e64a8373ee84bef032e205725527e |
| SHA1 | 4e3f5b2f3330f3735cd019f764ef856f5208ac13 |
| SHA256 | f188be045a388b2c028592cd61399d6d082099c35c05b620e396faa5a20ff04a |
| SHA512 | dad8d2a1e6ba7d9c0bb447dba365b3d41c09925b1bb5566dd9ac7ab9fcfea4c4e906ef0d01c7666e2b8f85249281d3cb08b34f518b799670d2203eeb08a1b857 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\systemcpl.dll
| MD5 | 911eb55f9f74a6383983e0a6a8a2772d |
| SHA1 | 5f40c2e1ff4e6a544ed160b355b6673925d66741 |
| SHA256 | 3ab580c2f8d5588ced041a96b686c88987f8217283066e408d5092f0eac7c079 |
| SHA512 | 0cec6c11552936c9af72b9eb8ac7d12abfde1caea99471e421375926705a4427df4727b0645663c6a267d2957ad741e29c5f74950bfa6adeaf1754eb061b390a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\sppcomapi.dll
| MD5 | 69d9d1785ec1f5032538f2696210e2e2 |
| SHA1 | 7dacc1c0fb5ca9e92fc1fcd90a23d74b75042c00 |
| SHA256 | 444d4dfb574dcc145067b19763befd65d0e6ad9a7bb1423c92ef4ff4f6638145 |
| SHA512 | 82839d76bc10dbc8849fc3879b3c776e218ed4d8496a40226116aa64798bdac41173a2dada4cc4478776c82af69cc5de541cd71fdc03eeb0301768dec0ef9e53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\winver.EXE
| MD5 | 7941f0c4bd4004269b268e66752dac9b |
| SHA1 | 6accf1d9b5981eb12a22c530c3d37be9ca54c415 |
| SHA256 | 06c59055bd2d5bc2fc1950abb377b0aa33f74d8faab3ee074d54a2f8a93e38d2 |
| SHA512 | c8a720341ffeb39939d18c7d9f1c298554db5768d34bb24bfdf6f9f66ddbfb1884b7b20c30229cacc674856acf032081d55be4738bd7be7e1acbd781b25272a9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\N7\x64\user32.dll
| MD5 | e573bd9ab55c8e333c202b9e255f972e |
| SHA1 | 460bde795885134b48465dc73797db695af33e1f |
| SHA256 | 79bec0da770265d1a525330b2e732e055edde617bcc2848c2742492f9dbc881e |
| SHA512 | bcae097591cbc66e20771ef69e6544e5f951e0821b8d2a4779e524c542e5ad1d75ff683a15a76f5577e1e1389f4058cd36da7d0c785c504b2305cc144dc7b4bf |
C:\Windows\SysWOW64\ko-KR\shell32.dll.mui
| MD5 | 0ea010da48315b44d3befceca3ddda0f |
| SHA1 | 19bd13e64a03f0d4ab0b90a266cb25b40ebc580c |
| SHA256 | 3cf494e14bee4d4370db50d3700a8b338c4b78e6001a3beb395c817bb9910fc7 |
| SHA512 | fc5ea974c78ae45def1388a7098e4167d55c924ec91211b568677a312d22786c12fee19e6bf2ca529934db378773397510f0a2710c76f4b9c659c5f231fdb2ec |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\System32\ko-KR\shell32.dll.mui
| MD5 | 1ffdf30fd8c8a747fd9add1497530072 |
| SHA1 | 63954a4f3703a07e126a4dc345ac6ea1ac090d77 |
| SHA256 | 7dc85b3a6324c3b5ad8b5b6be9ffb87b7cf15c6f0b0ff2376a8fa1242e791208 |
| SHA512 | 99729dc858d885c258af44ad3492456644eb84ce0a772137ce1a9d4ca0e5765eb1d5d49351c943e4e21456f9a5775404effdc5649a8cc53e4c972d5b05be0961 |
C:\Windows\SysWOW64\ko-KR\shell32.dll.mui
| MD5 | 6bbc2ca29605dc83bd8f86eee2a98539 |
| SHA1 | 1e0c4b316426be15c289c1a9e486e9b3e3095f0e |
| SHA256 | e037bafa4dcca2f458b91bbbb1b6eae0604c0ab89d2622dabcf06c8c2328887f |
| SHA512 | 9fc7139eef0a35f3c754251871b512d2fdf5f063ded8171f7a27fef0b465d0396437c04506c210adc3d82b2a1b8604e766220957aa5a09792c25e96ef352a6d9 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\MuiCache.reg
| MD5 | 91bd16ffa806694171e89ce6bf40ce5f |
| SHA1 | 4d776c6e5b565a2002f8559f77b5320fa8420b72 |
| SHA256 | 06b91106a4169ee981a38915e694b6409f7c8cf11fef3ee845d218c32d71e509 |
| SHA512 | c9ed43ad2d7b0c7373fab8f14bf3a50b8541d730598cda4ef6af36724ed6a65ae2e5a81567de196f30f90b073a48ac61b3fc72ca14908f63a45092f33e48e61d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x64\winsxs\amd64_microsoft-windows-display.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_c9a77b62978c68da\Display.dll.mui
| MD5 | 827d5f1094f6fb7ac4252dbeb193e9e9 |
| SHA1 | 10e3b1eb59cdda5aa79f5d78dfc5269d1c8c15c3 |
| SHA256 | a6fd479ff612d294eb72597f434aed310ae06a6226de49368af077fe843a0bff |
| SHA512 | 717ca7697c66c94d1874fae1202db37a2269a63df0235705def1e05289a2f56c400d0f55ae68333aa3386e2625857f844d38cf9eadea09850da36287cb5d18a0 |
C:\Windows\Temp\17329.tmp
| MD5 | 5870ea0d6ba8dd6e2008466bdd00e0f4 |
| SHA1 | d41bf60d0dedff90e3cfc1b41b7e1a73df39a7d5 |
| SHA256 | 5a7dac8c8b5d7cf1115246dfaf994e7f50e16a7eac1488642396f5e23fddfe0d |
| SHA512 | 0c620d5e7383adcf979feccc3b1bad584a5cec8b3d74d0ace8bb786f1f04ba87fa70d59d041dc3833977d44a75f2070181d4054c7c0b9c4ce2d66249b4b3c837 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AVERATEC .XRM-MS
| MD5 | 172c78e78366f8dcbe4c4a5546bad60b |
| SHA1 | 67022b142bd1a0248206d1d10da3d51f88b4e1ef |
| SHA256 | 4a99e456460a326f2659706f031efe268d0dfabfb40f77d84dde6a5ba0e6e664 |
| SHA512 | 4dc34aad5783835ac64328b9b351af8f1dfa6372ea5403582d62bc48398e5d56a169aef4fcce24e28ec04c64fbee1352ff433645f0e8faae438dd392e15fa6a4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\data\Shortcut\x86\System32\ko-KR\shell32.dll.mui
| MD5 | 388ab00bc5a69f77f6ed8d1fd8ace855 |
| SHA1 | 549b86c3087e98c13cb7cf4b7e718c6fbb8e92cb |
| SHA256 | beeb3badd1b569dbcf601d5cd02527c8a57ede2c5a9f6d42e1a6d02f8cb1c12e |
| SHA512 | bf3319ffd33c6a6483351496382792129f5f23acaf55a9a380b056860913a2eb5957e4f9dd842972e0d15e0e18f6846ac0618df71362ac501036ad0c7dd6cec0 |
memory/4520-597-0x0000000010000000-0x0000000010030000-memory.dmp
memory/4520-596-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4520-594-0x0000000076830000-0x00000000769D0000-memory.dmp