Malware Analysis Report

2024-10-19 10:39

Sample ID 221120-c2cktsfh5t
Target 48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d
SHA256 48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d
Tags
xorist persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d

Threat Level: Known bad

The file 48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d was found to be: Known bad.

Malicious Activity Summary

xorist persistence ransomware spyware stealer upx

Xorist Ransomware

Detected Xorist Ransomware

UPX packed file

Modifies extensions of user files

Drops file in Drivers directory

Reads user/profile data of web browsers

Adds Run key to start application

Sets desktop wallpaper using registry

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-20 02:33

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-20 02:33

Reported

2022-11-20 02:36

Platform

win10v2004-20220901-en

Max time kernel

91s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ExitUnprotect.png => C:\Users\Admin\Pictures\ExitUnprotect.png.fullcrypted C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\@WirelessDisplayToast.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsCodecsRaw.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mmpbdegijlmoabdf.bmp" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square150x150Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-32.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-24_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-24_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-1.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircleHover.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\upsell-2x.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page2.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_BadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSplashScreen.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..okerplugin.appxmain_31bf3856ad364e35_10.0.19041.1202_none_d081f9868ac0a804\PasswordExpiry.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsLargeCloudIcon.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1258.TXT C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerWarningToast.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\i_delete.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-96_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsCloudIcon.contrast-white_scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-black_scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square44x44Logo.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\disconnectIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square310x310Logo.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSquare44x44Logo.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f\4.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\DropAccept.scale-300.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars35.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Light_Scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\500-14.htm C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\topGradRepeat.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.423_none_72535ca9b59a9515\NarratorUWPSplashScreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\SplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\KbdFunction.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\splashscreen.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\eventTracepoint.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-24_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\storelogo.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Wide310x150Logo.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appresolverux.appxmain_31bf3856ad364e35_10.0.19041.1_none_b719750f25d4cc37\SquareTile44x44.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoAdvancedInclusive.html C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\WideLogo310x150.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\foreground.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.423_none_bfcb7b02f95b1e52\PeopleLogo.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\Splashscreen.contrast-white_scale-80.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\14.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Assets\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TinyTile.contrast-black_scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\Globe.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\TabSweepExplanation.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\dockH.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1202_none_8f7e37524c3e1a13\TileSmall.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare71x71.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\i_f12_context_chartselection_clear.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..usnotificationuxexe_31bf3856ad364e35_10.0.19041.1266_none_e8d910c7c702b558\@WindowsUpdateToastIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventTracepointDisabled.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\square44x44logo.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\AddNewRuleIcon.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-16_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\Answer.scale-150.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\NearShare.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.scale-400.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobecortana-main.html C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\Registry Editor.lnk C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Ring03.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\Speech Sleep.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\DefaultSystemNotification.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\Assets\SquareLogo310x310.scale-200.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fullcrypted\ = "BYWWLWTPWPUCPSO" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe,0" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open\command C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fullcrypted C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 4060 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

"C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe"

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

Network

Country Destination Domain Proto
N/A 13.107.21.200:443 tcp
N/A 8.253.208.120:80 tcp
N/A 20.189.173.5:443 tcp
N/A 8.253.208.120:80 tcp
N/A 8.253.208.120:80 tcp
N/A 8.253.208.120:80 tcp
N/A 8.253.208.120:80 tcp

Files

memory/4060-132-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4920-133-0x0000000000000000-mapping.dmp

memory/4920-134-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4060-135-0x0000000000400000-0x000000000046B000-memory.dmp

memory/4920-137-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4920-138-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4920-139-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4920-140-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4920-141-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/4920-142-0x0000000000400000-0x00000000004C2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-20 02:33

Reported

2022-11-20 02:37

Platform

win7-20221111-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\catroot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_WMI_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_requirements.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_output.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scripts.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Quoting_Rules.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Quoting_Rules.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_preference_variables.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_ISE.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Redirection.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_parameters.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Switch.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsMovieMaker.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Arithmetic_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Signing.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\WindowsPhotoGallery.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_methods.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_requirements.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_scopes.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_WMI_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pssession_details.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Return.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Core_Commands.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_split.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_wildcards.help.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_settings.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14528_.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_justify.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\UnblockRequest.mp4 C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BOMB.WAV C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Media\Calligraphy\Windows Logon Sound.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\img25.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Windows Minimize.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\ehome\ja-JP\playReady_eula_oem.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Characters\img21.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\playReady_eula_oem.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Sonata\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Festival\Windows Critical Stop.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Festival\Windows Pop-up Blocked.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Windows Battery Low.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Windows Balloon.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Characters\Windows Pop-up Blocked.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Logoff Sound.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Heritage\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29b70e81faa66c43\epgtos.txt C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Windows Error.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Garden\Windows Balloon.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Landscape\Windows Feed Discovered.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Windows Ringout.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Heritage\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\ir_end.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Waitcursor.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Architecture\img18.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Festival\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Quirky\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4 C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Performance\WinSAT\Clip_480p_5sec_6mbps_new.mpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\settings.html C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp5.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Characters\Windows Notify.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Battery Low.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Savanna\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Main_Background_Loading.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp4.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Quirky\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\recycle.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Landscape\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\img8.jpg C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\watermark.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\logo.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\button_play.png C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Characters\Windows Logon Sound.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Sonata\Windows Navigation Start.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Windows Battery Critical.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Landscape\Windows Battery Low.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Media\Raga\Windows Feed Discovered.wav C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.fullcrypted C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.fullcrypted\ = "BYWWLWTPWPUCPSO" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe,0" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open\command C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34EeU833qyc18xe.exe" C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\DefaultIcon C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BYWWLWTPWPUCPSO\shell\open C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe
PID 656 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

"C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe"

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

C:\Users\Admin\AppData\Local\Temp\48ed28cfb53a72e291f67a4f4cd11b9a7bcff5301359ade0c543be72b536ed7d.exe

Network

N/A

Files

memory/656-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

memory/656-55-0x0000000000400000-0x000000000046B000-memory.dmp

memory/572-56-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-57-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-59-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-60-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-61-0x00000000004C08F0-mapping.dmp

memory/572-64-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-65-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-66-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/572-67-0x0000000000400000-0x00000000004C2000-memory.dmp