Malware Analysis Report

2024-10-19 10:39

Sample ID 221104-vwgxgabbcl
Target 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63
SHA256 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63
Tags
upx xorist adware persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63

Threat Level: Known bad

The file 9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63 was found to be: Known bad.

Malicious Activity Summary

upx xorist adware persistence ransomware spyware stealer

Xorist Ransomware

Xorist family

Detected Xorist Ransomware

Sets file execution options in registry

Registers COM server for autorun

UPX packed file

Drops file in Drivers directory

Modifies extensions of user files

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-04 17:20

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist family

xorist

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-04 17:20

Reported

2022-11-04 17:22

Platform

win7-20220901-en

Max time kernel

130s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowWait.png => C:\Users\Admin\Pictures\ShowWait.png.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File renamed C:\Users\Admin\Pictures\SplitClear.png => C:\Users\Admin\Pictures\SplitClear.png.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File renamed C:\Users\Admin\Pictures\UseAdd.png => C:\Users\Admin\Pictures\UseAdd.png.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeExit.png => C:\Users\Admin\Pictures\InvokeExit.png.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeConvertFrom.png => C:\Users\Admin\Pictures\ResumeConvertFrom.png.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{C514A18E-862A-45d3-8A5E-62CF54D912B6}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\INLAUNCH.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20E823C2-62F3-4638-96BD-90F4F6784EBC}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\VISSHE.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{312AB530-ECC9-496E-AE0E-C9E6C5392499}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{977D8304-FAAA-4331-81DB-B67FC2134A38}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{F09D237B-3FD1-4900-BEF2-3471CA68142D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D9160E22-BDF3-4D8A-818C-D99D10EC7BEF}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\MSOHEVI.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{8DE0A0A1-96D0-4B04-8EC6-2DBF9BD888DC}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{5554F805-47C0-489D-AAE6-2D11C6E4A3ED}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{DDFE337F-4987-4EC8-BDE3-133FA63D5D85}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F045-0000-0000-C000-000000000046}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\OLKFSTUB.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\URLREDIR.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B8D12492-CE0F-40AD-83EA-099A03D493F1}\InprocServer32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONFILTER.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{CB3F7806-3CB4-409C-BA3B-12D642BE371A}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\NAMEEXT.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E6-5146-11D5-A672-00B0D022E945}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b00580044004f0043005300460069006c0065007300360034003e00390026006000570060003600720038004e003900410032006900240027006c0062007a006100480000000000 C:\Windows\system32\msiexec.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\DisableExceptionChainValidation = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe\DisableExceptionChainValidation = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\msiexec.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\NoExplorer = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "URLRedirectionBHO" C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\COLORCNV.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\CNHL140.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\001d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\cmstplua.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\LXKXLRES.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\RstrtMgr.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech\SpeechUX\SpeechUXPS.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\termmou.inf_amd64_neutral_207a02df8e9e6552\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR12.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremium\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0341.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1P.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\httpapi.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\hpowiav1.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mprmsg.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\bitsprx4.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc4500t.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\imagehlp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\EnterpriseE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\DriverStore\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\DriverStore\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\dpnathlp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\cscobj.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\migisol.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\NlsData002a.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\sbeio.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\catsrvps.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmairte.inf_amd64_neutral_0feacd08cb9c7fe3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBP_280.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64\CNB_0302.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\dinput8.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm100.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDTH1.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\UIAnimation.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_escape_characters.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\logoncli.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\apds.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\driverquery.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzurw71.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\slmgr\0411\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\activeds.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\dmstyle.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDSORS1.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mscorier.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\provsvc.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\sppinst.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg_orange.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\fxplugins.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoDev.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50F.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19582_.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Windows NT\Accessories\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_microsoft-windows-docprop.resources_31bf3856ad364e35_6.1.7600.16385_de-de_be3fbfa99c9fb6c2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-osk.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b06b1df8d88baa8f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_1f63cd5d3ae047e8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\Sleep Away.mp3 C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-rasgetconnectedwizard_31bf3856ad364e35_6.1.7600.16385_none_39ea34b42d8bab89\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-vssadmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1986a2a9f4251b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wsd-challengecomponent_31bf3856ad364e35_6.1.7601.17514_none_267f132f01972084\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\system.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..ng-base-homepremium_31bf3856ad364e35_6.1.7600.16385_none_7de3f055667d5adf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.jpg C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\x86_netfx35linq-system.core_31bf3856ad364e35_6.1.7601.17514_none_6161fc35ed136622\System.Core.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_wiaca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_9b51e5b3b1f90953\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelEvents.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_mdmbr005.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bfcd338840ee79ef\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\1.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_6.1.7600.16385_it-it_58c0b0f0f0041d9d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\LogProvider.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..peeradmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_719df0580731deba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_d61b29a61a7467d6\msaddsr.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..ment-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c3debc2d5eb92b3c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_be8bab32249b2a4e\RegSvcs.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\sysglobl\8abe9d895b3e9efe741b9162cb9206fc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\inf\SMSvcHost 4.0.0.0\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.Extensions.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fb8a5e47801bdd37\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-setup_31bf3856ad364e35_8.0.7601.17514_none_121fa84cd569cffc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-msctfp_31bf3856ad364e35_6.1.7600.16385_none_cab3b5905044da08\msctfp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..core-fonts-chs-boot_31bf3856ad364e35_6.1.7600.16385_none_30d8afa629263809\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a33e988d033651ee\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-display_31bf3856ad364e35_6.1.7601.17514_none_b66e6297f95421b9\Display.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-windowsmediaplayer-adm_31bf3856ad364e35_6.1.7600.16385_none_cc71ea8336ec7782\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\msil_system.servicemodel.web.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d2ca4b8d52c0aa3\System.ServiceModel.Web.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_amd64.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-base_31bf3856ad364e35_6.1.7600.16385_none_69e3281e403684ea\oleres.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..vault-cpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4bdcac3537e3a78e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\rss_headline_glow_floating.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-linkinfo_31bf3856ad364e35_6.1.7600.16385_none_945a23c3bf051859\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_prnep002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5d20bc044275096a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_en-us_018102d196ec4984\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wordpad.resources_31bf3856ad364e35_6.1.7600.16385_it-it_95a964e94322127e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\msil_system.windows.forms.resources_b77a5c561934e089_6.1.7600.16385_de-de_8a9d73b390fd5af5\System.Windows.Forms.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_26e76f2ac1492952\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Media\Windows Startup.wav C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Management.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Numerics.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..xecutable.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f718a5b90ca5f2a4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-rasdlg.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b485f6a854acdc6c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_es-es_7d8445a5fca61fed\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_8911d4b604a223a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ja\infocard.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f52607304e593d93\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..mediadeliveryengine_31bf3856ad364e35_6.1.7601.17514_none_7b96264774336146\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a16dd65d2bfab6a019ac8a05337a5c24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\winsxs\amd64_prnep005.inf_31bf3856ad364e35_6.1.7600.16385_none_951535885e4cab60\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Default Visible = "Yes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBTTN~1.DLL,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ClsidExtension = "{48E73304-E1D6-4330-914C-F5F514E3486C}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppName = "onenote.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ButtonText = "OneNote Lin&ked Notes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\MenuText = "OneNote Lin&ked Notes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ToolTip = "OneNote Linked Notes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\ClsidExtension = "{FFFDC614-B694-4AE6-AB38-5D6374584B52}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\HotIcon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Icon = "C:\\PROGRA~1\\MICROS~2\\Office14\\ONBttnIE.dll,103" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppName = "IEContentService.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ToolTip = "Send to OneNote" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\AppPath = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253}\Policy = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\Default Visible = "Yes" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\ButtonText = "Send to OneNote" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}\MenuText = "Se&nd to OneNote" C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\PayloadOverride\ C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\59a52881-a989-479d-af46-f275c6370663 C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies\PayloadOverride C:\Windows\system32\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\Policies C:\Windows\system32\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\.dotm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{3CA78EDC-E48A-4A21-9562-9245BF90CE3F}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{73507951-A405-4E95-A197-B5FE6C6C001D}\Programmable C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin\ = "Send to OneNote from Internet Explorer button" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2F5480E-ED5A-4DDE-B8A8-F9F297479F62}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe,0" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\InprocServer32\InprocServer32 = 7800620027004200560052002100210021002100340021002100210021004d004b004b0053006b0056006900730069006f0036003400460069006c00650073003e0034002d007b0024004b00660073005e0036004100680024007b0041005000420059004f004800580000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{64654B35-A024-4807-89D3-C6FDB5A260C7}\Control C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{096CD6FD-0786-11D1-95FA-0080C78EE3BB}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\"" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{71DC7F9D-50F3-44AD-A58D-DD192A6C243A} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.CVisioFileFilter.1\CLSID\ = "{A394DCA9-3727-11D4-BD85-00C04F6B93A4}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pptx\ShellEx\PropertyHandler\ = "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\URLRedirection.URLRedirectionBHO\ = "Office Document Cache Handler" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\odctable.1\HTML Handler C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49c1-8EDE-F889CD0F4429}\1.0\0\win32\ = "C:\\PROGRA~1\\MICROS~2\\Office14\\AUTHZAX.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\TypeLib\ = "{053392D0-BE6A-47CF-A7A4-AD17EEDF5680}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{200C17D6-6854-439D-AFFA-0BB35D09B8F0}\TypeLib\Version = "1.0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-compressed C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{95F35795-64B1-495D-9DE7-390EECC31EC0}\ = "Microsoft Office Project Task Launch Control" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.vtx\shellex\{00021500-0000-0000-C000-000000000046} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\ = "Office Document Cache Handler" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D9230E09-3737-43F5-8C78-BC4C83DC296C}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.LinkedNotes\CurVer\ = "OneNote.IEAddin.LinkedNotes.14" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{760681E7-B985-41CE-BCBE-2985A1DFC61C}\ = "VSTO Assembly100" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vtx\PersistentHandler\ = "{FAEA5B46-761B-400E-B53E-E805A97A543E}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC\Visio64Files C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0} C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\XEV.FailSafeApp\EditFlags = 01000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FAEA5B46-761B-400E-B53E-E805A97A543E}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OSPPWMI.OSppWmiProvider.1\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{7CCA70DB-DE7A-4FB7-9B2B-52E2335A3B5A}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odccube.1\HTML Handler\ = "\"C:\\PROGRA~1\\MICROS~2\\Office14\\MSOHTMED.EXE\" \"%1\"" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3E6E3C-5130-49c1-8EDE-F889CD0F4429}\1.0\ = "Microsoft Office 14 Authorization Control 1.0 Type Library" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC8E6CD1-E6F2-4A8F-A99B-2F3BA2B3DE6B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Search.OneIndexHandler.2\CLSID\ = "{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.IEAddin.12\CLSID\ = "{48E73304-E1D6-4330-914C-F5F514E3486C}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OneNote.NoteAnchorCollection.14\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OneNote.IEAddin.LinkedNotes C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FFFDC614-B694-4AE6-AB38-5D6374584B52}\TypeLib C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E390D9E-7641-4819-BF38-8EEE08964681}\ = "Office SPP WMI Provider" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{F3685D71-1FC6-4CBD-B244-E60D8C89990B}\1.0\0\win32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5BF6FE9-913F-4117-94C7-5040C7E3A6C1}\ = "IconHandlerShellExt Class" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\odctable.1\HTML Handler\Icon\.odc = ".odctablefile" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{E87ECCF7-3CBA-45CF-B58E-1A6630D39199}\VersionIndependentProgID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\OneNote.NoteLinkStoreService.14\CLSID C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\TypeLib C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{200C17D6-6854-439D-AFFA-0BB35D09B8F0}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00004109A20000000100000000F01FEC C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1000 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1572 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1816 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1816 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1816 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1816 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 1816 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 584 wrote to memory of 304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe

"C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CEDBA5AD86F44ED95C5E1746D47EE1B6

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 6385BB05E9DCAAA4314D5E27D9D029A3

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 03711749E712CEBAA14496C1E9717603 M Global\MSI0000

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 223D15F8382E76205F5131F985DB3257 M Global\MSI0000

Network

N/A

Files

memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1600-55-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1600-56-0x0000000000400000-0x000000000040C000-memory.dmp

memory/584-57-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

memory/1000-58-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI83C1.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

\Windows\Installer\MSI83C1.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

C:\Windows\Installer\MSI8603.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

\Windows\Installer\MSI8603.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

C:\Windows\Installer\MSI86BF.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

\Windows\Installer\MSI86BF.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

C:\Windows\Installer\MSI89BD.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

\Windows\Installer\MSI89BD.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

\Windows\Installer\MSI8F78.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Windows\Installer\MSI8F78.tmp

MD5 85221b3bcba8dbe4b4a46581aa49f760
SHA1 746645c92594bfc739f77812d67cfd85f4b92474
SHA256 f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f
SHA512 060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

C:\Windows\Installer\MSI90A3.tmp

MD5 33908aa43ac0aaabc06a58d51b1c2cca
SHA1 0a0d1ce3435abe2eed635481bac69e1999031291
SHA256 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512 d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

\Windows\Installer\MSI90A3.tmp

MD5 33908aa43ac0aaabc06a58d51b1c2cca
SHA1 0a0d1ce3435abe2eed635481bac69e1999031291
SHA256 4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783
SHA512 d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

C:\Windows\Installer\MSI947B.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

\Windows\Installer\MSI947B.tmp

MD5 4a843a97ae51c310b573a02ffd2a0e8e
SHA1 063fa914ccb07249123c0d5f4595935487635b20
SHA256 727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086
SHA512 905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

memory/1572-74-0x0000000000000000-mapping.dmp

\Windows\Installer\MSI994C.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

C:\Windows\Installer\MSI994C.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

memory/1816-78-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSIC0AC.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

\Windows\Installer\MSIC0AC.tmp

MD5 ff58cd07bf4913ef899efd2dfb112553
SHA1 f14c1681de808543071602f17a6299f8b4ba2ae8
SHA256 1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391
SHA512 23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 c807c19f3110799cf34966c8aa0f3bd0
SHA1 d8994e4ce71a47b3acaca234bf5181ec7b391ebe
SHA256 8fad55e68d3ebc61fbe44c805f438f37ce20b02fbd43b10511a0315b89598124
SHA512 1ae4c4a45e7d4ce3e7ddf137c6e574bd8b3414112d34e5384944190a0c894bc5608f245954ee4d69474116ec71aafa471e135e3e13bce480aa11ea998f3f333d

C:\Windows\Installer\MSIC53F.tmp

MD5 13810e6e8bf54ff502728fcb577ad4d3
SHA1 30c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256 f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512 ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b

\Windows\Installer\MSIC53F.tmp

MD5 13810e6e8bf54ff502728fcb577ad4d3
SHA1 30c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256 f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512 ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppc.dll

MD5 8c362bc4687838891922dbd00d622acd
SHA1 baa7b4fba6519d3f3d3da305e7fcab31f1ec8051
SHA256 383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede
SHA512 3504c0097400fc05591e275e64aeba899a2a9def68e2313b6b73d9185bf8683d991bdafc79c1d9e74ac897d11c907c254d44817e100ac9e17c3ab55d0d5e90f4

\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL

MD5 8c362bc4687838891922dbd00d622acd
SHA1 baa7b4fba6519d3f3d3da305e7fcab31f1ec8051
SHA256 383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede
SHA512 3504c0097400fc05591e275e64aeba899a2a9def68e2313b6b73d9185bf8683d991bdafc79c1d9e74ac897d11c907c254d44817e100ac9e17c3ab55d0d5e90f4

\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL

MD5 0ef845af06ae5f34ba8f9b397a98be3a
SHA1 585837231487c537648f75a9282daf8bd6fcb76e
SHA256 94b1bfeea829bd99768126e2f6cbbcbe13b46fc67b1ea0b6f01edd817d779d51
SHA512 a6cc8041a0c785afd521b38558076f98ba5b8652110e7f28a228182f5e2156ac99d0b9e5976500ad0fc63cb4d04b309a44827c30da91680ac442a5d626e1920e

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppcext.dll

MD5 0ef845af06ae5f34ba8f9b397a98be3a
SHA1 585837231487c537648f75a9282daf8bd6fcb76e
SHA256 94b1bfeea829bd99768126e2f6cbbcbe13b46fc67b1ea0b6f01edd817d779d51
SHA512 a6cc8041a0c785afd521b38558076f98ba5b8652110e7f28a228182f5e2156ac99d0b9e5976500ad0fc63cb4d04b309a44827c30da91680ac442a5d626e1920e

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

MD5 c807c19f3110799cf34966c8aa0f3bd0
SHA1 d8994e4ce71a47b3acaca234bf5181ec7b391ebe
SHA256 8fad55e68d3ebc61fbe44c805f438f37ce20b02fbd43b10511a0315b89598124
SHA512 1ae4c4a45e7d4ce3e7ddf137c6e574bd8b3414112d34e5384944190a0c894bc5608f245954ee4d69474116ec71aafa471e135e3e13bce480aa11ea998f3f333d

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 61bffb5f57ad12f83ab64b7181829b34
SHA1 945d94fef51e0db76c2fd95ee22ed2767be0fe0b
SHA256 1dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846
SHA512 e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521

\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL

MD5 f62175f3b0cf55742a2085516f1b9bec
SHA1 a2c81a9c02f91250f2413121cdc3b1592e015e6a
SHA256 2a544298abd8a9c386e902d85f4827aa03cc9514cab23e79f8531cf65e368bbf
SHA512 a556b58392fedb3826c5284b4cd322f8fa83f45e4621ac3a2a9871a63c7fcb45a65e1c5397395020229ade651285ccb115d834287b96e5ba9e6f5ac03fe63a16

memory/1816-109-0x00000000CF360000-0x00000000CF366000-memory.dmp

memory/1816-108-0x0000000097FB0000-0x0000000097FB6000-memory.dmp

memory/1816-107-0x0000000072F50000-0x0000000072F56000-memory.dmp

memory/1816-106-0x00000000D5A20000-0x00000000D5A26000-memory.dmp

memory/1816-105-0x0000000003460000-0x0000000003466000-memory.dmp

memory/1816-104-0x0000000020F50000-0x0000000020F56000-memory.dmp

memory/1816-103-0x00000000A58F0000-0x00000000A58F6000-memory.dmp

memory/1816-102-0x000000002FF80000-0x000000002FF86000-memory.dmp

memory/1816-101-0x00000000DC350000-0x00000000DC356000-memory.dmp

memory/1816-100-0x00000000D88D0000-0x00000000D88D6000-memory.dmp

memory/1816-99-0x00000000B6730000-0x00000000B6736000-memory.dmp

memory/1816-98-0x00000000063C0000-0x00000000063C6000-memory.dmp

memory/1816-97-0x0000000063270000-0x0000000063276000-memory.dmp

memory/1816-96-0x000000009CA80000-0x000000009CA86000-memory.dmp

memory/1816-95-0x0000000085160000-0x0000000085166000-memory.dmp

memory/1816-94-0x000000000CC40000-0x000000000CC46000-memory.dmp

memory/1816-93-0x0000000064E60000-0x0000000064E66000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL

MD5 f62175f3b0cf55742a2085516f1b9bec
SHA1 a2c81a9c02f91250f2413121cdc3b1592e015e6a
SHA256 2a544298abd8a9c386e902d85f4827aa03cc9514cab23e79f8531cf65e368bbf
SHA512 a556b58392fedb3826c5284b4cd322f8fa83f45e4621ac3a2a9871a63c7fcb45a65e1c5397395020229ade651285ccb115d834287b96e5ba9e6f5ac03fe63a16

memory/1816-110-0x000000007D5F0000-0x000000007D5F6000-memory.dmp

memory/1816-111-0x00000000B5DD0000-0x00000000B5DD6000-memory.dmp

memory/1816-112-0x00000000A2FA0000-0x00000000A2FA6000-memory.dmp

memory/1816-113-0x00000000D1FB0000-0x00000000D1FB6000-memory.dmp

memory/1816-114-0x000000005A290000-0x000000005A296000-memory.dmp

memory/1816-115-0x00000000E2F80000-0x00000000E2F86000-memory.dmp

memory/1816-116-0x000000002A400000-0x000000002A406000-memory.dmp

memory/1816-117-0x000000000DF40000-0x000000000DF46000-memory.dmp

memory/1816-119-0x0000000080910000-0x0000000080916000-memory.dmp

memory/1004-120-0x00000000FFA40000-0x00000000FFEF4000-memory.dmp

memory/1816-118-0x0000000019770000-0x0000000019776000-memory.dmp

memory/1004-121-0x00000000739F8000-0x0000000073A0D000-memory.dmp

C:\Windows\Installer\MSID363.tmp

MD5 13810e6e8bf54ff502728fcb577ad4d3
SHA1 30c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256 f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512 ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b

\Windows\Installer\MSID363.tmp

MD5 13810e6e8bf54ff502728fcb577ad4d3
SHA1 30c5ecdb4a0b8275c6e5dd44a87678cd4cab186c
SHA256 f313e17ffd7247ceefd8f8e8b5d52b37b1500b1602b7fd6cf18fbc2143ea2a70
SHA512 ebf9c0162c9f3e560a083312e11d9b7eae4702532021f2b5bac1295208e09129c775674548d799006aa6a6ad15069933ce897bcaf3ad348ed1f8a05a22c9656b

\Windows\Installer\MSIDC7A.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

C:\Windows\Installer\MSIDC7A.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

memory/304-126-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSIDCE8.tmp

MD5 2af7ac092d41bae372787c21a4c81242
SHA1 29f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256 174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512 f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793

\Windows\Installer\MSIDCE8.tmp

MD5 2af7ac092d41bae372787c21a4c81242
SHA1 29f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256 174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512 f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793

C:\Windows\Installer\MSIE11E.tmp

MD5 2af7ac092d41bae372787c21a4c81242
SHA1 29f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256 174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512 f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793

\Windows\Installer\MSIE11E.tmp

MD5 2af7ac092d41bae372787c21a4c81242
SHA1 29f4a6fcc0545682aecda7ed27c0c9580851c3d1
SHA256 174278900dbad135e87318e07c8fbf16b819320bb68ac5d8e9e97f745f9360a6
SHA512 f1390fcd9e08eb30b407e160395a6c6b890a2ce8afafe5c25109af6dd220994efe1b3dc1317db9ec109340e822569661665bbe345f51e7bfba65abaebcaea793

C:\Windows\Installer\MSIE15D.tmp

MD5 954c7720c5e88fa690fd1d38dec47347
SHA1 2f5b87593066dac3f5a58272358b1e8e27a9dfe8
SHA256 532343ebbf4572f69673a0adc5d5737fee88aa73c1acb3b15554338c3033cc0f
SHA512 0425dc825eb9389309e73bd545a5904ff9aca9b29605ac70294859bf38abc0f1366fd119d84458f766b81cf7c9fc212d64a2c8faa1d3a84993902d6196f5d51f

\Windows\Installer\MSIE15D.tmp

MD5 954c7720c5e88fa690fd1d38dec47347
SHA1 2f5b87593066dac3f5a58272358b1e8e27a9dfe8
SHA256 532343ebbf4572f69673a0adc5d5737fee88aa73c1acb3b15554338c3033cc0f
SHA512 0425dc825eb9389309e73bd545a5904ff9aca9b29605ac70294859bf38abc0f1366fd119d84458f766b81cf7c9fc212d64a2c8faa1d3a84993902d6196f5d51f

C:\Windows\Installer\MSIE20B.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

\Windows\Installer\MSIE20B.tmp

MD5 d1f5ce6b23351677e54a245f46a9f8d2
SHA1 0d5c6749401248284767f16df92b726e727718ca
SHA256 57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc
SHA512 960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

\Program Files\Microsoft Office\Office14\VISSHE.DLL

MD5 2f4759c23abcd639ac3ca7f8fa9480ac
SHA1 9a3fece585fa01b7b941e124ead0c39c8ce9bc7c
SHA256 6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6
SHA512 6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll

MD5 ffeccd3cb8bc0821a43a372d85e4b63c
SHA1 a708eb6453a8be653d2a9f673881b23d116eeacb
SHA256 7598f4a28131e0eeb1f1d09660da8772002b27d969e92b3e377771a1d5534239
SHA512 8128f4f201aff580d5a0eadeb5978f319473eb2daf2a58032c84630809554be32e1fc7fce46b850481956eebb6ef241ac65c39ca9c6ef2ed3eaa3d4e534a7290

memory/1004-139-0x00000000739F8000-0x0000000073A0D000-memory.dmp

memory/1004-138-0x00000000FFA40000-0x00000000FFEF4000-memory.dmp

memory/1600-140-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-04 17:20

Reported

2022-11-04 17:22

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_a19f675674962ae4\CIRCoInst.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\dsparse.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0015\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\EdgeManager.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\Nlsdl.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\wpnclient.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMEPADSM.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mstask.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc120deu.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\fontsub.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\HeatCore.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDPL1.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\SndVolSSO.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\WmiApRpl.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgen.inf_amd64_977aa23dfab87f15\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\UNIDRVUI.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc_vfpp.inf_amd64_9ce6f68c11eede58\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_1503f4d5a0d6ba56\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmic_shutdown.inf_amd64_bce6891915e70bbf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\odpdx32.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\odbccp32.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\setup\msdtcstp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\cscapi.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\ProvProvider.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-crt-private-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\digitalmediadevice.inf_amd64_5b64b65052c3a32a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\easwrt.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\webservices.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\tokenbinding.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\wshunix.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_bc07e137c52c529a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\msvfw32.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\cmgrcspps.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\smartscreenps.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\wbem\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\autochk.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\directml.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\DMAlertListener.ProxyStub.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-fibers-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\nshwfp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\odbccu32.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\MsCtfMonitor.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\MUI\0C0A\mscorees.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\packager.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\dimsroam.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\F12\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\nshipsec.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\msdtcwmi.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.FaceAnalysis.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\imecfm.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\msfeedsbs.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\nlmgp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc120jpn.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SysWOW64\cewmdm.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\mrt100_app.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-256.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-250.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2native.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.Graphics.Canvas.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\concrt140_app.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-30_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\GFX.DLL C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare71x71Logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\swscale-5_ms.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-fullcolor.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\black.gif C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Photos.Viewer.Plugins.Native.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..c-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_88f39fbd621cda6b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Windows.Input.Manipulations.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.Build.Tasks.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_wdmaudio.inf_31bf3856ad364e35_10.0.19041.746_none_8cc50abfaa861487\SysFxUI.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-deviceupdatecenter-csp_31bf3856ad364e35_10.0.19041.1202_none_e35d603e7b0f54a6\DeviceUpdateCenterCsp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero2\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero2.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\1036\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..ation-wincomponents_31bf3856ad364e35_10.0.19041.746_none_79bfc5cb57157e98\r\LocationWinPalMisc.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a22d4db313525670\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\r\hvix64.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-http.resources_31bf3856ad364e35_10.0.19041.1_de-de_1ff5905086c51169\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-l..omhandler.resources_31bf3856ad364e35_10.0.19041.1_de-de_4fe760915b8fb25f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\Microsoft.Management.Infrastructure.Resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.Data.Entity.Build.Tasks.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Search\Images\logo.contrast-black_scale-80.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_dual_prnms012.inf_31bf3856ad364e35_10.0.19041.1_none_a3feabb281faa7e4\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-virtio_31bf3856ad364e35_10.0.19041.928_none_353d3d5427d43fb8\r\vmvirtio.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ion-mfcaptureengine_31bf3856ad364e35_10.0.19041.906_none_ca9fe18cfc715c42\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_10.0.19041.1_none_2f6bce0df481ff63\iasnap.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\1031\vbc7ui.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TileSmall.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..dlinetool.resources_31bf3856ad364e35_10.0.19041.1_it-it_c4cad365b837612e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\Microsoft.VisualBasic.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\XsdBuildTask.resources.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0410\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-counters.resources_31bf3856ad364e35_10.0.19041.1_de-de_f7974574dade5511\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_dc1-controller.inf.resources_31bf3856ad364e35_10.0.19041.610_en-us_50581d2c454a61af\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_ipoib6x.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_b5d503a2b3e27a44\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\assembly\GAC_MSIL\PresentationUI.Resources\3.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\c22867030e5bfe64cd2f01ea2a121306\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Discovery.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..ndactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_8b4593ccb753f4e5\BamSettingsClient.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..namespace-downlevel_31bf3856ad364e35_10.0.19041.1_none_7d55e8342077d456\api-ms-win-core-sysinfo-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ty-backcompat-tlb28_31bf3856ad364e35_10.0.19041.1_none_67b8a0001d6daa67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mccs-aphostservice_31bf3856ad364e35_10.0.19041.746_none_33374e3aacb7c6e6\r\APHostService.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.19041.1_none_83ab1c56c187ef65\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..serverapi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d658b86d647b1026\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-17.htm C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_11.0.19041.1081_none_187c84191909cd57\f\msfeeds.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.0.19041.1165_none_cbcbe0c900c7339c\r\edgehtml.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mtf_31bf3856ad364e35_10.0.19041.1_none_5e7425adfabb084c\MTF.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\PhishSite_Iframe.htm C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_dual_wvpci.inf_31bf3856ad364e35_10.0.19041.1_none_1f444c4add774c0c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\f\fontext.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_11.0.19041.1_de-de_e365cb47d7f752c9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.1266_none_b2317523477fbd48\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mpg4decd_31bf3856ad364e35_10.0.19041.1165_none_d57648831732f137\r\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square150x150logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..le-server.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d34d00a50f6f11b1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEHost.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\f\CHXSmartScreen.exe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-iechooser.resources_31bf3856ad364e35_11.0.19041.1_it-it_323e942ef84693b2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-iis-aspbinaries_31bf3856ad364e35_10.0.19041.906_none_6aa8dc8fc623977c\asp.dll C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..nese-eacommonapijpn_31bf3856ad364e35_10.0.19041.746_none_6fecf6012ef3141e\f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..t-onecore.resources_31bf3856ad364e35_10.0.19041.1_en-us_9459bc7bcfac64cd\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_10.0.19041.546_none_8a1687c8ee003137\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.CrySpheRe C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.CrySpheRe\ = "RYAGHXYNWJVCEJA" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\DefaultIcon C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe,0" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell\open C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell\open\command C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RYAGHXYNWJVCEJA\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6J1IMrImAiEKru9.exe" C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe

"C:\Users\Admin\AppData\Local\Temp\9680ddca296d16b58ceb381308e58509d73eafbf92d884b4a5865dcb843c0a63.exe"

Network

Country Destination Domain Proto
US 20.189.173.13:443 tcp
US 204.79.197.200:443 tcp
NL 104.80.225.205:443 tcp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp

Files

memory/4632-132-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4632-133-0x0000000000400000-0x000000000040C000-memory.dmp