Malware Analysis Report

2025-06-16 06:16

Sample ID 230505-w8wf3aga4t
Target 8a437b5f22a40f6a67e3482d572a1ee5.bin
SHA256 e9ab90fe1a2cc38191dc9f1820d50f1c298c912e85fc2b36aa234d67adafc07a
Tags
darkcloud spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9ab90fe1a2cc38191dc9f1820d50f1c298c912e85fc2b36aa234d67adafc07a

Threat Level: Known bad

The file 8a437b5f22a40f6a67e3482d572a1ee5.bin was found to be: Known bad.

Malicious Activity Summary

darkcloud spyware stealer

DarkCloud

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 18:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 18:36

Reported

2023-05-05 19:09

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

Signatures

DarkCloud

stealer darkcloud

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3b3acb8c2f34055d.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{7275D8FE-3105-4FA6-AB36-BE5FAD0C0F2A}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca0cc8b3957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000579ebdb4957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f530b4957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da185ab6957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032fcb4b3957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b922eb4957fd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2396 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 2932 wrote to memory of 4976 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2932 wrote to memory of 4976 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2932 wrote to memory of 2740 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2932 wrote to memory of 2740 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.168.117.170:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
US 8.8.8.8:53 124.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 99.83.154.118:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 199.21.76.77:80 deoci.biz tcp
US 8.8.8.8:53 118.154.83.99.in-addr.arpa udp
US 8.8.8.8:53 76.235.251.63.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 qaynky.biz udp
SG 63.251.126.10:80 qaynky.biz tcp
US 8.8.8.8:53 77.76.21.199.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 63.251.106.25:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 173.231.184.122:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 72.251.233.245:80 nqwjmb.biz tcp

Files

memory/2396-133-0x0000000000320000-0x00000000004C4000-memory.dmp

memory/2396-134-0x0000000005350000-0x00000000058F4000-memory.dmp

memory/2396-135-0x0000000004DA0000-0x0000000004E32000-memory.dmp

memory/2396-136-0x0000000004D40000-0x0000000004D4A000-memory.dmp

memory/2396-137-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2396-138-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/2396-139-0x00000000071D0000-0x000000000726C000-memory.dmp

memory/2172-140-0x0000000000400000-0x000000000065B000-memory.dmp

memory/2172-143-0x0000000000400000-0x000000000065B000-memory.dmp

memory/2172-144-0x00000000031F0000-0x0000000003256000-memory.dmp

memory/2172-149-0x00000000031F0000-0x0000000003256000-memory.dmp

memory/2172-154-0x0000000000400000-0x000000000065B000-memory.dmp

C:\Windows\System32\alg.exe

MD5 b577409c73f5094739da5c19a5c9fe72
SHA1 82c54d209d67e77aee37db362efe72c6f825a0d5
SHA256 e5c174e6e569cc10462e2f34d5cc86c4b8010eb2bdf96fb11aabdbfe716a0a40
SHA512 6c00b8028a8c890a4c43bdab4d298e7a4ac9e0c2e140f36cebde77dcf78bd0879480e694c4589a15ebf1c32a2cabe6b8c60a35ae58ccb98e0e960e33a23f0cf7

memory/1256-157-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/1256-163-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 26c963d9d8d1a2a2c64389d7e122f0c0
SHA1 a17b679e11943199abce6c7acdc8713ce21f5eae
SHA256 9504e65d044362803e2cc0612943b93f7090ef6d41e321442dec026bf9ad5aba
SHA512 1e4274edf70730b12c82c57c27c5687f3f4e5ac6a046143b7f0553df4632ad4ea0506fbea4dd9b1c77e83beed4316bfc87cbd4fb081c2d22a7924371b922ee52

memory/4572-169-0x0000000000720000-0x0000000000780000-memory.dmp

memory/4572-175-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 3858340e8a43e3afee3c5fdcb11c2cca
SHA1 fae43ff3cc1bce26dca300120d01723ca84886fc
SHA256 cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb
SHA512 6c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b

memory/4028-179-0x0000000000D50000-0x0000000000DB0000-memory.dmp

memory/1256-181-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4572-183-0x0000000140000000-0x0000000140200000-memory.dmp

memory/4028-185-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4028-188-0x0000000000D50000-0x0000000000DB0000-memory.dmp

memory/4028-190-0x0000000000D50000-0x0000000000DB0000-memory.dmp

memory/4028-192-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 c39fe0a04b80377474a3eb2cb55ab7cb
SHA1 dbfcd7be1835084031d6cbff540900b55758d93d
SHA256 2d84b37d29fc8f38671d21fc6c3bdc680d23a1c0764cd4334f39d183bf4e302d
SHA512 f5318eca431d4e5e30b66b97775991be645c51c93f71ee3bf409b6641ec0bf90b18b3cdcabfbe7e752826dc920fa98feb09fdaba302707ce8d42bc87b9b00179

memory/2920-195-0x00000000004D0000-0x0000000000530000-memory.dmp

memory/2920-201-0x00000000004D0000-0x0000000000530000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 04ae1ec76338f1c1559d93906717d3c8
SHA1 5507d8b92d733e6b5e7dfbfaf827ffc1e7879522
SHA256 bce29973c71d5b05c6d1aff5c716e7801b04094a6ac64a57a659d8c5a0dd8d87
SHA512 784eee05c224d8333446ca3dce927166bbf62c76b5ca7cc22d0fe0523757176de61778ae7b151db3e3d049b67a9ccb0a687119714b0886d3d424de91b7ac3c70

memory/3832-205-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/3832-211-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2920-213-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3832-215-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 17a18d7e7da34ec4321c56845800dbb4
SHA1 d72ba1d42e8049722769729c246a349893aa69e1
SHA256 4caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc
SHA512 3a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2

memory/2268-217-0x0000000001E90000-0x0000000001EF0000-memory.dmp

memory/2268-223-0x0000000001E90000-0x0000000001EF0000-memory.dmp

memory/2268-227-0x0000000001E90000-0x0000000001EF0000-memory.dmp

memory/2268-229-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 133ca165b44b6b96a2d9335ab36a7cd3
SHA1 d91cb5caf610f0411f4d337886fc28491d3c9156
SHA256 86b4e9047f419b56571d21e8b12e096f891babcee1852a6dd078624f0d5fae5f
SHA512 a12ad5b4f7cccace5e82c3eac688a18040de061e7338ed1b17fc5a341d974616e9cbde096e35ff37a0165637e62b18efe39faa0a787f770c29ae37f774c90531

memory/3964-231-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 56ce5fc4edca0a0de2579f359cf5a96d
SHA1 e50570914e3a76d33637e10c4e0150c03ae97517
SHA256 a8e8f00447bebc1dd2f67192716296215cf15c9597f3d88da794d9f85e3cde12
SHA512 50e653d683c89b4019fb97ede55ed5f0c781cc544ba09ed8469374ffc6bb4f311ece5e20630e152a87f6b23e1f494188dc59e20de6ae427b873d5aa8c5ebc5a8

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 2aeb8795db41bae4812bc4c792920169
SHA1 ffb7f07acce8e06dbd2dd478df57032892e998c0
SHA256 5e4412da6678ebfda785ac053937ece1b2bfe448514959c5bc620ef7ccef7e49
SHA512 fb330f882d9a6c855f1b8f12635f7d643ac07aaa68f99fc7b63a56e956dc344f326eb24730c55490283004f20e865058265616be15a88b93029e6ef17f1c6d81

C:\Windows\SysWOW64\perfhost.exe

MD5 19718652c39286980d8e76863251cd8f
SHA1 9495351d9a6ccbc56a1364d92985d8e7026592ce
SHA256 2a171f86ec91531501a45bf2ce6b189e45780a0a056b82da14da8c07fa8c0c9b
SHA512 0cba6ee1ecfa73a1d9540957fec70cf2e88c63c25d84c013fe8ac989f0a468ede62b25ca16c49567d7af46f6ce261fa8a7f419d9e54a4a440e5178b0e80197fc

memory/5040-267-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1624-270-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4388-272-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 2f1d8ab24212944f9d31e60955222d9d
SHA1 35c7b600e0b1c03582c6798f1bd56076d68dc7f6
SHA256 5eee914bc0936569f3f5304352fb020ae1058105f926c1eb3586555aba11ab98
SHA512 b9e0f299f6abe6a74135167841e585943bd8a84d770605047965f2e44b2295c094163b799cd4f3a7626118f1b8a96058e5a41955c179ae5953c47b9e7e8cffd3

C:\Windows\System32\SensorDataService.exe

MD5 834c659bc949c91602f044c2226ae372
SHA1 29ad8f3a1396619ffd31c268a2c0a193240a0300
SHA256 b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb
SHA512 ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778

C:\Windows\System32\snmptrap.exe

MD5 e4a9e2bfd2faeeba5d9fd287543eb9b6
SHA1 2f76af9a52718b3e66ea9a0a5470ca9769a92eef
SHA256 4164dffc7339debcdf2b2774d945bf0f6ed855eff1c564084d8a976d995382e2
SHA512 e6d80c41c9079ce0fd6cbd0f331ec75740dc02f742a7480a13a9010dfa4c18f59d7284158a254f80995466314ec59a1f463a2fcf8030715a3e739d2df57b125a

memory/2676-300-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/2124-302-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/400-305-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 0f7d798bf877007a3d0d1919ceec4029
SHA1 007d7f5f28d92924460c52951dea921b8420ccfa
SHA256 252058638bd1a4508e84f5e2841fecbf1ae1ef3005b82e547eaefc48217b490f
SHA512 e8f3e3157037c76781b2e87ab7b1c420549f7437ed9a021be583f1ef1a1a100ce418593d7f76664384a494b4cb08dea64af0c164412fb11e31066c89c552653e

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 bf922ddfc7ddf5ba7092ee68dd5e51df
SHA1 963b5d22db26bfc578100c50fc99f0a54c8d475e
SHA256 67cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad
SHA512 5e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 bf922ddfc7ddf5ba7092ee68dd5e51df
SHA1 963b5d22db26bfc578100c50fc99f0a54c8d475e
SHA256 67cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad
SHA512 5e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f

memory/4544-324-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3684-326-0x0000000140000000-0x0000000140259000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 285365fbdf987e6165e40aaad3ee5c27
SHA1 e8adda49bfbfaad26a3ca878a88b2c52ccce4a68
SHA256 605fa8971016c562286ced29a2c77b026939a57e6f71bf1ab438fb92106fac9c
SHA512 0fc42f561487cdeb217f249f20faa01a9854ce7bb9eb217b4dee92d30c8572d75468bd198894536583bdfca91c644ee1fa5b09d55249a96c7de4dc2fb4696232

C:\Windows\System32\AgentService.exe

MD5 728bfd12274a9ea3a1c950a8156d9329
SHA1 b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587
SHA256 07058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d
SHA512 dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c

memory/2604-356-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 981d1f5b85d48ed03fe18e439fb1a587
SHA1 67925f026c1763274289bc0ce09eddbfedfc5392
SHA256 f34226024c61a5c3bc5057df3d91180883750c6447c3b820d39d346ad465d83a
SHA512 189f0adf309e22f987d49c35c156cc43a5777f753ac892267832dd7d220721b7d22f0b95a8bfd2bd60ba317397dc2aa674086e886118fc7758d8a52d8f2bf8a5

memory/4124-357-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 78a8ceacb459fb498b669eb302426ef2
SHA1 da7f6d423c839efcf75214134de3bec9b28ab4c9
SHA256 cd70dc456125b76aaa3c974febedd1e8ebaef8d79c6700c11550b700646353ac
SHA512 5a5dee91be672cd525454abb1debf0678d3aa7d2d1a0d9365da011b93eab548bf0156fc7cade94b940513ecdab15bfe814369fb1a1c92270b1a0dbfc128e2d32

C:\Windows\System32\wbengine.exe

MD5 cddd142cd3a1e3c38acb516c76406a8b
SHA1 1b30bb4e1f67481088345dd8a60da41f4cbdacf4
SHA256 2b688f926db6b86b5f394766032a73e003a2a25cf467947262c42e998b9e46b0
SHA512 2571a368a7137bf344375c11da27aed78320647b697311ed4c9cc7798ad6ce1afbf886181c106ab15456dee711060b369e40efc7ce596ab172809663163dc5a3

memory/2496-380-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3504-382-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1892-384-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 4ae991eaebc6fe242c700d9d6e57427c
SHA1 cba6a1850d8118ee369c822198e19e2bd1904688
SHA256 a4a4bd9dc255ac901ea892d8558c571ce5d2d52b33a495db403c84e6daa446cb
SHA512 27b205b3ed645d8addf24680c50ff320028e446a4b9478397582ee68ec764ca6bc73e396b7c2ea7acae2269156d4cb7e0816f666fa7d449879f2ba244bc19e49

C:\Windows\System32\SearchIndexer.exe

MD5 93cc061163c1346be61b23e9037f67b5
SHA1 fb42c95deb3696548d04933cda49c1bd00583f53
SHA256 c1df797209dcbd15f6bdfe5f86f4326c9d1fa132d967ca34caac630ac13a8ec4
SHA512 0d6be514bacb098f9a6237e9cf4bed631fc339b7093a92faf1e49e4710c314d62bec10b896dfb0ce868d502bab06c20c9e632186827ca49c15260a4f0acd10da

memory/5100-409-0x0000000140000000-0x000000014021D000-memory.dmp

memory/2932-411-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2172-461-0x0000000000400000-0x000000000065B000-memory.dmp

memory/2920-517-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3832-519-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3964-538-0x0000000140000000-0x0000000140210000-memory.dmp

memory/2124-553-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4388-563-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/400-577-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4544-589-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3684-590-0x0000000140000000-0x0000000140259000-memory.dmp

memory/3504-603-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1892-604-0x0000000140000000-0x0000000140216000-memory.dmp

memory/5100-610-0x0000000140000000-0x000000014021D000-memory.dmp

memory/2932-611-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2740-655-0x0000024D91550000-0x0000024D91551000-memory.dmp

memory/2740-657-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-656-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-658-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-659-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-660-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-678-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-694-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-695-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-696-0x0000024D91570000-0x0000024D91670000-memory.dmp

memory/2740-713-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-715-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-714-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-716-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-717-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-734-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-735-0x0000024D91810000-0x0000024D9182A000-memory.dmp

memory/2740-736-0x0000024D91860000-0x0000024D91870000-memory.dmp

memory/2740-770-0x0000024D91860000-0x0000024D918A9000-memory.dmp

memory/2740-771-0x0000024D91570000-0x0000024D91670000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 715900b001a980f50e0cb07733cd3666
SHA1 95d175c14306d9b1d19bc8d3e64661d956cad946
SHA256 288476cbbaebedd354010a4135c3f92641a3a0c1259e270dbb152171d445b76d
SHA512 60c3ebc072a3acb46d0e620d232328802a3061eaf2610bbe90ea94767c2a77bd018fa0dc677062a77be28a51b58c2c538ef7624e7d6c8a9ee66380ebda85a1cf

C:\Windows\system32\fxssvc.exe

MD5 3858340e8a43e3afee3c5fdcb11c2cca
SHA1 fae43ff3cc1bce26dca300120d01723ca84886fc
SHA256 cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb
SHA512 6c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 17a18d7e7da34ec4321c56845800dbb4
SHA1 d72ba1d42e8049722769729c246a349893aa69e1
SHA256 4caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc
SHA512 3a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2

C:\Windows\system32\msiexec.exe

MD5 82348dbde32b9364f3df970744f46000
SHA1 6b7b03135924856874749e0404969566b887adef
SHA256 22987124997a4d799a635b230c148fc791cc55a8c99060405a9f076cde38a0f9
SHA512 84db45f59450a3ce20f3adbd3ba5d8d2532c8700b33e811272f94adc49cbbafbdb85d7084a0ea41b0fa699661d3e91b1ac35761f39a858d5e52269c92fbdad5a

C:\Windows\System32\SensorDataService.exe

MD5 834c659bc949c91602f044c2226ae372
SHA1 29ad8f3a1396619ffd31c268a2c0a193240a0300
SHA256 b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb
SHA512 ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778

C:\Windows\system32\AgentService.exe

MD5 728bfd12274a9ea3a1c950a8156d9329
SHA1 b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587
SHA256 07058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d
SHA512 dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c

C:\Windows\system32\SgrmBroker.exe

MD5 81baf06d221e6bc3a571e802d984e54d
SHA1 ef6ec5855067919b3d753a0beef972661eea630f
SHA256 40e5110b750c624eb93b1a3bc6b50785ce0e2699c68bf385d3f7df045e642886
SHA512 0ac30c294133b49cd198391cf029be85ccac1478e50b60d000519978929565846409cb14df2c31b052e3f3e31d4b41ad8fb3fb09b8e698c1bb0cf32722329bc9

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 72d08c4089a4b2b9e44dc6821e7fb2f5
SHA1 1f6db81c39abc6613ab6e8cfdf7d2eea60236ffb
SHA256 1fd0101094b4df648bed947598d2ad03b4f0f3fedfbc6ff95da9fed973f3afca
SHA512 744219b454d6c23f985f882306aaafeb9c1875fb1cf03192c8c6d7077cf076e30660128000b9011b833dbe28d1ed3f4c1a1d58cad201c4c6b05a14237474dacd

C:\odt\office2016setup.exe

MD5 7d7eca2238c4e7b4fd35ca8f91a9bd93
SHA1 26a3729eed99124eb8e6895a137462ea10e64376
SHA256 ebe41d189ab802d787717dc4f41e1c0690da6773f96278d83964d0eac331da28
SHA512 d16ebb6ad630bf915addb3f6341b7f6f50b2467f18ac070b3dcbae53c037a3d81db5c32fadc64a67e867a76967691c70c1d07ec6ee128fe5d10b06f648b39d45

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 e3dcabb73fad8ac866e9d147309fc7db
SHA1 c90aac6b2ba458dae6e00e4d2731ef5a0d1cdd07
SHA256 795c619e69fa24891a0151503ef0aec797a408fab1a6915d56d835d741ea5aa5
SHA512 e17c1cc343ad13bdc8bb0c41bf26706b02c3c9308954c598750f3c567aa62dbc0ec093e8c3ff997372e3dc18367c0959eda515b861d987c5d144f2c06b5b7480

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 586e6557355925b4e99dec43b5513058
SHA1 19ce813be90fe4e163a0f8511cb677ba0973d1db
SHA256 1f5bd4b772dc67d92d65308ad7d5893ef82712eef5dd7c0313b9ef9a726575b6
SHA512 82ea89f9c130d6151fda2e7bbffaec065efc5494c00c290667ad84803f3fb38cbe712e36749ba4f6881e86cd58675583ecedcf4cb1f88c3cfd01c38118b379b4

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 7701019cb31892cb5aefd7c57f165b63
SHA1 1a6ee9c2b6a5e57f1b7c0e73d7b061ebe92e6e0e
SHA256 24bd13f9f83f900e8d19acf871eecdb6980491af88949f9d58e2fbabd920038d
SHA512 c1ecaf2f9206762d343423aaad80b4e1ebc829e2fd9f0f5b24906bd0807eb655e7997ef454a249fc6ee57086b354d6b3b53c486688211ff480e9806e39acd7fb

C:\Program Files\7-Zip\Uninstall.exe

MD5 6648339ba23edd0d9e7399ad25f7767a
SHA1 361f57ebc00552fe023b56906516c58bb5a112fb
SHA256 816a31c547b1884325ca0f62f35616d95124840492fc42cddad2da0006dbd2f5
SHA512 79948753a277bf9ffa65713c9b0c85bb6df96deedce236e7f546c3d14182b4a6db884a0b3ce17430d07de1a2b0b680ea1c303486ecbef3908411c8472cddcad9

C:\Program Files\7-Zip\7zG.exe

MD5 1979e689b289837bb892eef78eea1de8
SHA1 7324f5f289e9db50e17096d7efbcdc65820124cc
SHA256 10eeef2abf402f2f77b0f6f95b4de08df7bc717f4e5405376e58d7d36342bab7
SHA512 567d1b4f38bdbec9536f89ceb365d7ec14e2d93e1a61aad1dcee50a4a9967d3212c340b979d3fd6ead712e6f4f114555573a79e193294c9ae059e1427d3b8921

C:\Program Files\7-Zip\7zFM.exe

MD5 78d71482573829d54d54f5cebfc81be6
SHA1 1ee448d7520e36fc8c63d6e125669236a8759520
SHA256 ead6e24152cb911acda27c771be9ceec5e6b3e52444af396fb6b91ebc7c30aaa
SHA512 269caaa34a730f0082c203ef609d834346c35e29e64215b846c9aea80098ca1d84d6c248031a82ca1295edf1b29bcffd28651f51cc1d68114442720564a6dbf0

C:\Program Files\7-Zip\7z.exe

MD5 4d9a54ba583cc69c0846e7332db22a28
SHA1 2a7565561f73b9960113cfbb8f9c57055888c190
SHA256 829563d5a0ad7feaf4f2131c559018fffa769229e5fea7e664244eb496f0f935
SHA512 ae9c68145f484884bea71889464860cbddc19fd8ad8bb357d7c636a280dba1202b57dfe0f58453675c924b909e0c6bad2f86c86d9b33bfbd26cd28570b8b2649

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 18:36

Reported

2023-05-05 19:09

Platform

win7-20230220-en

Max time kernel

53s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
PID 1660 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

"C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"

Network

N/A

Files

memory/1660-54-0x00000000003A0000-0x0000000000544000-memory.dmp

memory/1660-55-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1660-56-0x0000000000560000-0x0000000000572000-memory.dmp

memory/1660-57-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1660-58-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/1660-59-0x0000000005EB0000-0x0000000005FEC000-memory.dmp

memory/1660-60-0x0000000007F30000-0x00000000080E8000-memory.dmp