Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-rcplesbc6w
Target 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb

Threat Level: Known bad

The file 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Modifies WinLogon for persistence

XtremeRAT

Adds policy Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 14:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 14:03

Reported

2022-11-23 15:02

Platform

win7-20220812-en

Max time kernel

151s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1628 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 1380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 1380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 1380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 1380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 1380 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 1380 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1380 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"

Network

N/A

Files

memory/1628-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

memory/1380-55-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-58-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-59-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-60-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-61-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-62-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-64-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-65-0x0000000000408600-mapping.dmp

memory/1380-66-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-68-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-69-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1380-70-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1988-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

memory/1988-76-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1712-79-0x0000000000000000-mapping.dmp

memory/1712-81-0x0000000074F61000-0x0000000074F63000-memory.dmp

memory/1712-82-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

memory/1668-84-0x0000000000000000-mapping.dmp

memory/2000-97-0x0000000000408600-mapping.dmp

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

memory/2000-102-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\yaDYVN3nb\yaDYVN3nb.nfo

MD5 3cd65f58ae0f3e1b588c34eed4246a5f
SHA1 1523fbb4ec02295e9448eafbcb805318ac7b638c
SHA256 5d31801d466968640302995d1f84a3a8937ce109808f83e13d1c231f4ee2e9e3
SHA512 d8991f849637c16ce11defa42a29b682704231c5a77e22131aa4f5c0aa1bd44fb3fa3e41e5f54814b0bd7770b7d42315183219482dc63b3b712b97a7ba973894

memory/1380-104-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2000-105-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2044-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 30059fa49765d44021952cce2cbf5372
SHA1 9ac7d8f8514a6e3c49ad2c6658c645b4f7656b98
SHA256 f2ecb630f6035e24ba00709c6e235c76ce75849ee13fdf77aaa3d6a092aeffd8
SHA512 26d8b09804e7eefee47d83204e6d7d5eb9219bcb6ebf344b6f220c28e8637ae5b592c3e1f4bb9613dbad23ec1893434dbde6dd06de6cf0b44c930666050eabde

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 14:03

Reported

2022-11-23 15:02

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 1496 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
PID 3900 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 3900 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 3900 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\svchost.exe
PID 3900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3900 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe
PID 3900 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe

"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

Network

Country Destination Domain Proto
N/A 52.109.77.1:443 tcp
N/A 104.46.162.226:443 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 xpto69.no-ip.biz udp
N/A 8.8.8.8:53 xpto69.no-ip.biz udp

Files

memory/3900-132-0x0000000000000000-mapping.dmp

memory/3900-133-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3900-134-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3900-135-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3900-136-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1476-137-0x0000000000000000-mapping.dmp

memory/1476-138-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1992-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

memory/3900-142-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3392-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe

MD5 3a9d22c436ba5595f37eb85fb63179f5
SHA1 b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA256 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA512 3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\yaDYVN3nb\yaDYVN3nb.nfo

MD5 3cd65f58ae0f3e1b588c34eed4246a5f
SHA1 1523fbb4ec02295e9448eafbcb805318ac7b638c
SHA256 5d31801d466968640302995d1f84a3a8937ce109808f83e13d1c231f4ee2e9e3
SHA512 d8991f849637c16ce11defa42a29b682704231c5a77e22131aa4f5c0aa1bd44fb3fa3e41e5f54814b0bd7770b7d42315183219482dc63b3b712b97a7ba973894

memory/3392-149-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3896-150-0x0000000000000000-mapping.dmp

memory/3896-151-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\yaDYVN3nb\yaDYVN3nb.svr

MD5 a0eaa79f7fc06363a4be2586faf870c4
SHA1 4a917e5edeb6ef24d3254cc4736c51f3328819ac
SHA256 63d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3
SHA512 b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8

memory/2508-153-0x0000000000000000-mapping.dmp

memory/2508-154-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-155-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-156-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-158-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-159-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-160-0x0000000001610000-0x000000000171F000-memory.dmp

memory/2508-161-0x0000000001610000-0x000000000171F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\yaDYVN3nb\yaDYVN3nb.nfo

MD5 3cd65f58ae0f3e1b588c34eed4246a5f
SHA1 1523fbb4ec02295e9448eafbcb805318ac7b638c
SHA256 5d31801d466968640302995d1f84a3a8937ce109808f83e13d1c231f4ee2e9e3
SHA512 d8991f849637c16ce11defa42a29b682704231c5a77e22131aa4f5c0aa1bd44fb3fa3e41e5f54814b0bd7770b7d42315183219482dc63b3b712b97a7ba973894

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\yaDYVN3nb\yaDYVN3nb.dat

MD5 93e00066d099c0485cfffa1359246d26
SHA1 bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA256 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512 d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

memory/2508-164-0x00000000016C5000-0x000000000171D000-memory.dmp

memory/2508-165-0x0000000001611000-0x00000000016C5000-memory.dmp

memory/3392-166-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2508-167-0x00000000016C5000-0x000000000171D000-memory.dmp