4c603d76...4e89

Severity	Category	Operation	Classification
4/5	Injection	Writes into the memory of another running process	-
"c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe" modifies memory of "c:\windows\system32\svchost.exe" ... VTI Actions Go to function call
"c:\windows\system32\svchost.exe" modifies memory of "c:\windows\explorer.exe" ... VTI Actions Go to function call
"c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe" modifies memory of "c:\windows\system32\svchost.exe" ... VTI Actions Go to function call
4/5	Injection	Modifies control flow of another process	-
"c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe" alters context of "c:\windows\system32\svchost.exe" ... VTI Actions Go to function call
"c:\windows\system32\svchost.exe" alters context of "c:\windows\explorer.exe" ... VTI Actions Go to function call
"c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe" alters context of "c:\windows\system32\svchost.exe" ... VTI Actions Go to function call
"c:\windows\system32\svchost.exe" creates thread in "c:\windows\explorer.exe" ... VTI Actions Go to function call
3/5	Browser	Changes security-related browser settings	-
Disables SPDY/3 for Microsoft Internet Explorer. ... VTI Actions Go to function call
3/5	Device	Monitors keyboard input	Keylogger
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes. ... VTI Actions Go to function call
2/5	Device	Sends control codes to connected devices	-
Controls device "STD_ERROR_HANDLE" through API DeviceIOControl. ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Information Stealing	Reads system data	Spyware
Reads the Windows installation date from registry. ... VTI Actions Go to function call
Reads data from clipboard. ... VTI Actions Go to function call
1/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" to Windows startup via registry. ... VTI Actions Go to function call
1/5	Process	Creates process with hidden window	-
The process "C:\Users\CIIHMN~1\AppData\Local\Temp\AC4C\ADA6.bat" starts with hidden window. ... VTI Actions Go to function call
The process "C:\Windows\system32\svchost.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	Process	Creates a page with write and execute permissions	-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. ... VTI Actions Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "{02F1C55C-79FC-84FB-1356-BDF8F7EA41AC}". ... VTI Actions Go to function call
Creates mutex with name "{CEF02F91-D541-3029-CFE2-D96473361DD8}". ... VTI Actions Go to function call
Creates mutex with name "Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}". ... VTI Actions Go to function call
Creates mutex with name "Local\{FB999B87-1EC7-E503-005F-32E93403862D}". ... VTI Actions Go to function call
Creates mutex with name "Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}". ... VTI Actions Go to function call
Creates mutex with name "{CA459827-A1FA-8CD3-7B9E-6580DFB269B4}". ... VTI Actions Go to function call
Creates mutex with name "{AE35B69A-3501-1021-2FC2-3944D3167DB8}". ... VTI Actions Go to function call
1/5	Process	Reads from memory of another process	-
"c:\windows\system32\svchost.exe" reads from "c:\windows\explorer.exe". ... VTI Actions Go to function call
1/5	Process	Overwrites code	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to hook information

Notifications (2/2)

Before

After