Malware Analysis Report

2025-06-16 01:06

Sample ID 221123-zewrhsfg6w
Target 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e

Threat Level: Known bad

The file 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Modifies WinLogon for persistence

XtremeRAT

UPX packed file

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 20:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 20:38

Reported

2022-11-23 23:38

Platform

win7-20220812-en

Max time kernel

151s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File created C:\Windows\InstallDir\winregedigr.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1972 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 912 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 912 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 912 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:3460 tcp
N/A 8.8.8.8:53 fullversion.no-ip.ca udp
N/A 8.8.8.8:53 analaloca.chickenkiller.com udp
N/A 127.0.0.2:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.2:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.2:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.2:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.2:3460 tcp

Files

memory/912-56-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-57-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-59-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-60-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-61-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-62-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-63-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-65-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-66-0x0000000000C88814-mapping.dmp

memory/912-67-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-69-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/912-68-0x00000000751A1000-0x00000000751A3000-memory.dmp

memory/912-70-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/848-73-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/848-76-0x0000000000C80000-0x0000000000CEC000-memory.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1660-79-0x0000000000000000-mapping.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1536-93-0x0000000000C88814-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1536-98-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/912-100-0x0000000000C80000-0x0000000000CEC000-memory.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1992-102-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1568-116-0x0000000000C88814-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1568-121-0x0000000000C80000-0x0000000000CEC000-memory.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1352-123-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1412-137-0x0000000000C88814-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1412-142-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/1412-144-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1568-145-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1536-146-0x0000000000C80000-0x0000000000CEC000-memory.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1664-148-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1768-162-0x0000000000C88814-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1524-168-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1604-182-0x0000000000C88814-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/1768-188-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1604-189-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1604-191-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.svr

MD5 b6d63330959896290103db9786bd33d6
SHA1 b2558e1b4c6d9e012801a6e6564cf44fa16d6d14
SHA256 38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24
SHA512 54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

memory/912-192-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1740-202-0x0000000001712000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/1740-209-0x00000000016BD000-0x0000000001713000-memory.dmp

memory/1740-211-0x0000000001611000-0x00000000016BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.dat

MD5 93e00066d099c0485cfffa1359246d26
SHA1 bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA256 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512 d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

memory/1768-212-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1740-213-0x00000000016BD000-0x0000000001713000-memory.dmp

memory/1740-214-0x00000000016BD000-0x0000000001713000-memory.dmp

memory/1984-216-0x0000000000000000-mapping.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/700-230-0x0000000000C88814-mapping.dmp

memory/700-235-0x0000000000C80000-0x0000000000CEC000-memory.dmp

\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1660-237-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1736-251-0x0000000000C88814-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1736-256-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 20:38

Reported

2022-11-23 23:38

Platform

win10v2004-20221111-en

Max time kernel

188s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

Signatures

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winservicesd = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\winregedigr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\winregedigr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Windows\InstallDir\winregedigr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\InstallDir\winregedigr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\winregedigr.exe" C:\Windows\InstallDir\winregedigr.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1268 set thread context of 3064 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 3064 set thread context of 4708 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\SysWOW64\explorer.exe
PID 3864 set thread context of 640 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 208 set thread context of 4784 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 1848 set thread context of 4444 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 4784 set thread context of 3588 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\SysWOW64\explorer.exe
PID 2244 set thread context of 2880 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 3156 set thread context of 760 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 760 set thread context of 1480 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\SysWOW64\explorer.exe
PID 1256 set thread context of 3936 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe
PID 3936 set thread context of 3076 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\SysWOW64\explorer.exe
PID 5056 set thread context of 3656 N/A C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Windows\InstallDir\winregedigr.exe N/A
File created C:\Windows\InstallDir\winregedigr.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A
File opened for modification C:\Windows\InstallDir\winregedigr.exe C:\Windows\InstallDir\winregedigr.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\winregedigr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\InstallDir\winregedigr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 2428 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe
PID 1076 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe
PID 1076 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe

"C:\Users\Admin\AppData\Local\Temp\4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 12

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3588 -ip 3588

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 12

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3076 -ip 3076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 12

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

C:\Windows\InstallDir\winregedigr.exe

"C:\Windows\InstallDir\winregedigr.exe"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 52.109.77.2:443 tcp
N/A 93.184.221.240:80 tcp
N/A 40.125.122.151:443 tcp
N/A 104.46.162.226:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.1:3460 tcp
N/A 127.0.0.1:3460 tcp

Files

memory/2428-133-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1076-136-0x0000000000000000-mapping.dmp

memory/1076-137-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1076-138-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1076-139-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1752-140-0x0000000000000000-mapping.dmp

memory/1076-141-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1752-142-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1076-143-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1268-144-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1268-147-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3064-150-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/3008-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.svr

MD5 b6d63330959896290103db9786bd33d6
SHA1 b2558e1b4c6d9e012801a6e6564cf44fa16d6d14
SHA256 38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24
SHA512 54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

memory/4708-158-0x0000000000000000-mapping.dmp

memory/4708-159-0x0000000001610000-0x0000000001715000-memory.dmp

memory/4708-160-0x0000000001610000-0x0000000001715000-memory.dmp

memory/3008-164-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/4708-161-0x0000000001610000-0x0000000001715000-memory.dmp

memory/3064-162-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1076-165-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/3864-166-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3864-168-0x0000000000400000-0x0000000000483000-memory.dmp

memory/640-171-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/640-177-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/640-179-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.dat

MD5 93e00066d099c0485cfffa1359246d26
SHA1 bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA256 3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512 d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/208-180-0x0000000000000000-mapping.dmp

memory/208-182-0x0000000000400000-0x0000000000483000-memory.dmp

memory/4784-185-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/640-189-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/4784-192-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1848-193-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/1848-195-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.svr

MD5 b6d63330959896290103db9786bd33d6
SHA1 b2558e1b4c6d9e012801a6e6564cf44fa16d6d14
SHA256 38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24
SHA512 54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

memory/4444-199-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3588-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/4444-209-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/4784-211-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/2244-212-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/2880-217-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/2880-223-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/2880-224-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/3156-225-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/760-230-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.svr

MD5 b6d63330959896290103db9786bd33d6
SHA1 b2558e1b4c6d9e012801a6e6564cf44fa16d6d14
SHA256 38d68f85dd0d99524efb7b537ce8fc5c7494126da1455a8d700cec51ef021c24
SHA512 54cd768f2df8e7e570a95073e1727465c6c22945334e33b835608b8933ef81d59eb33b3b5b434dde5c8b2f25130b417a076916fa4b7fcd9c33a133681cecc9b2

memory/1480-237-0x0000000000000000-mapping.dmp

memory/4444-242-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/760-243-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/1256-244-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3936-249-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/3936-255-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/3076-256-0x0000000000000000-mapping.dmp

memory/3936-261-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/5056-262-0x0000000000000000-mapping.dmp

memory/3656-267-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3656-272-0x0000000000C80000-0x0000000000CEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SfMqtRCY\SfMqtRCY.nfo

MD5 f86802d11a173a36497c18c24f7117a5
SHA1 2d83fdeee6e2c2992090c241dfad2f4f1341c567
SHA256 cb28c538989e0b62588a531acf96e2f5d436f9f19bdaf4e7189ffd44c2fd2f0e
SHA512 7b6784400d1b79c710e0e4cf2ea2360e63c17a034dd69e9b4de38f3a4ddc72f299a78e62e1c7b99224882aa28140b66687efaa6f32772d101d6eda356103345a

memory/4720-274-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3536-276-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/5012-278-0x0000000000000000-mapping.dmp

C:\Windows\InstallDir\winregedigr.exe

MD5 25d5d607c5b6bfaf201b794e751af38a
SHA1 c16b39545267bdfd8107950c03e5ea8bb72394b8
SHA256 4786837da492a46abbfa55fc2653ce8fcf10341e0209c2002a4f0e1bcfe8d57e
SHA512 a7c0ecfbf2abe423267ffc327b1218ad5f72589cc72b2b0ad514d7bd25b0afb5e8c0aac308a62b150abbedb734c79a3ca596eb012193ef7e649fd88b6b2b58c9

memory/3656-280-0x0000000000C80000-0x0000000000CEC000-memory.dmp