Malware Analysis Report

2024-09-11 01:39

Sample ID 230529-j8pmasaf58
Target 01764099.exe
SHA256 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
Tags
agenda ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800

Threat Level: Known bad

The file 01764099.exe was found to be: Known bad.

Malicious Activity Summary

agenda ransomware spyware stealer

Agenda Ransomware

Agenda family

Modifies extensions of user files

Drops file in Drivers directory

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2023-05-29 08:20

Signatures

Agenda family

agenda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-29 08:20

Reported

2023-05-29 08:23

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01764099.exe"

Signatures

Agenda Ransomware

ransomware agenda

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\GrantOptimize.tiff C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wtsapi32.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVm-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-WOW64-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\netmscli.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\breecemc.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\useractivitybroker.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netl160a.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\netvwwanmp.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ETWCoreUIComponentsResources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\imageres.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\GamePanel.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\net8192se64.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesProtection.exe C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-DynamicMemory-VirtualDevice-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\regedit.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Media.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\sendmail.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\UserDeviceRegistration.Ngc.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\fontext.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\CoreShellAPI.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\fontext.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ru-RU\quickassist.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\sechost.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\iaLPSS2i_I2C_BXT_P.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\winver.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\uReFSv1.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\EhStorPwdDrv.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\sysdm.cpl.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1151.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\fr-FR\ProvProvider.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_media.inf_amd64_2dec3adbda5f7bb6\c_media.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\wmidcom.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\WABSyncProvider.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectPlay-OC-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\msmouse.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ExplorerFrame.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\msdtcuiu.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\wvmgid.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\WLanConn.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\c_fsundelete.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\c_volume.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\de-DE\storagewmi_passthru.mfl C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\it-IT\WmiApRpl.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\mmcshext.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\locale.nls C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetDnsTransitionMonitoring.format.ps1xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\c_fscfsmetadataserver.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\cht4sx64.inf_amd64_3a69b9b79f49eb50\cht4sx64.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\usbprint.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1 C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phones-small.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_c_smrvolume.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_87094f2dfd01489b\c_smrvolume.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Splashscreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\SqlPersistenceProviderLogic.sql C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\de-DE\Speech.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\ja-JP\VolumeEncryption.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..usmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_b876154f2b470a32\DeviceDisplayStatusManager.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Vpci-VirtualDevice-DDA-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\MediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Data.Entity.Build.Tasks.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Data.Entity.Build.Tasks.resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobekeyboard-main.html C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..henabledapplication_31bf3856ad364e35_10.0.19041.746_none_47ba8771f946a14e\Windows.Networking.Sockets.PushEnabledApplication.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_15e5bfcd83a1911a\r\AssignedAccessLockApp.winmd C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-directshow-other_31bf3856ad364e35_10.0.19041.746_none_eb4ad2c63f89d4d8\mciqtz32.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mfplay_31bf3856ad364e35_10.0.19041.746_none_d4a37191b245160c\r\MFPlay.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\cortana.js C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_rhproxy.inf_31bf3856ad364e35_10.0.19041.1_none_bf23bc1290f4573d\rhproxy.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dhcpcmonitor.resources_31bf3856ad364e35_10.0.19041.1_en-us_53fd1d316bd1264a\dhcpcmonitor.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Speech\Engines\SR\en-US\tn1033.bin C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..erecovery.resources_31bf3856ad364e35_10.0.19041.1_en-us_800b95e199a379c1\cofire.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ll-broker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7ffad8eca631cd75\windows.internal.shell.broker.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-c..orization.resources_31bf3856ad364e35_10.0.19041.1_it-it_c9efb6a822d6d50f\capauthz.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmbusvdev_31bf3856ad364e35_10.0.19041.928_none_ac1cf51d1258824d\vmbusvdev.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..riverclassextension_31bf3856ad364e35_10.0.19041.746_none_f08256e7fcc2cff6\r\SensorsClassExtension.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Windows.Client.ShellComponents~~1.0.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PhotoBasic-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\PhishSiteStyles.css C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_miradisp.inf_31bf3856ad364e35_10.0.19041.1_none_9855bc0311d2883a\MiraDisp.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.comments C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_mdmatm2k.inf_31bf3856ad364e35_10.0.19041.1_none_80f709aaa78352fa\mdmatm2k.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\EventCache.v2\{9C5A8E49-A660-4854-8479-9440F18C6097}.bin C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\pris\resources.he-IL.pri C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6adf8922ee7e82c2\Apphlpdm.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.928.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-VirtualizationBasedSecurity-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1288.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-f..tory-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ae8e628c60021eb5\fhcleanup.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dlna-dmrserver_31bf3856ad364e35_10.0.19041.1266_none_4ba603e64f357841\r\DMRServer.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..iewer-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_8bd28239fd50110c\EventViewer.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\r\WorkFolders.exe C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_bth.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e7cbf1419145fa8\bthenum.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\rescache\_merged\1973483750\709512593.pri C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.1_none_43a1294286598aee\tetheringclient.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_10.0.19041.153_none_9539283603c64592\r\ProvProvider.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_70a156949cc5903e\iisext.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TileSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dafupnp_31bf3856ad364e35_10.0.19041.746_none_9ff4160625a200df\f\dafupnp.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Enterprise-Desktop-Shared-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_acpipmi.inf_31bf3856ad364e35_10.0.19041.1_none_f459aca972a706de\acpipmi.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_hu-hu_002f2b9a38a666a2\cdosys.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\fr\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appsdiagnostic_31bf3856ad364e35_10.0.19041.1_none_909aa2855af297d4\RS_WSReset.ps1 C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\needhvsi.html C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..daptercim.resources_31bf3856ad364e35_10.0.19041.1_it-it_42a17673f6635e4e\NetAdapterCim.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01764099.exe

"C:\Users\Admin\AppData\Local\Temp\01764099.exe"

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.247.210.254:80 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

MD5 2fc4d42f568c9fee6e069f7ea46d5cc0
SHA1 318429f05909b5d4097c2840d64029bc76d08d0f
SHA256 f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390
SHA512 8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll

MD5 c9dab12378f3f914ed34c23494ce74c0
SHA1 69c14443b2ebb2f1e726243288aab1d12b97db37
SHA256 18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705
SHA512 150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll

MD5 761277d21e3a31948012fef82b42f022
SHA1 08f7b27e33dd2d3cdfd54c283cdd22994a53402b
SHA256 6e1fec70fc0013137957242159edf04eafdb3c14d8a6f1ee2204d451114a19be
SHA512 0401fa3425ac8b472f9f42166e70906cc531c94782f2b0338281f983a5ad6f6fd6817b26fe59e841be25aacbfca0df88f672db5a4e17fa9e99d281d912db2d8f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll

MD5 f5d4c22ced66b4f563c6640068aec6b4
SHA1 33ce26f849b4f981448567c379e6c88031c919e4
SHA256 df7abcdf3da7c974c481c90535cb143d5ba005c2972639c1b0613634dc6f055f
SHA512 97ed0d91c18a4a056f7914dd7899710c9447adde3bbbcc395197dfa297b265e835687ef9d030e850b2b031759448cf9369642bdc67f08c306c0c4aa1d7d9682f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll

MD5 d89cb906c358b2649e15b444a5e0411a
SHA1 93869f7039ae43e04344516234ab9e6a7811307b
SHA256 3ce0887e31ede3772dd5ff44a11fd8bf1611442e88b28605ffe881affc533aa0
SHA512 e4bcbd596b8ae810af9bddfb4b2128af2718e12e886ef9218a6c81638e60dcd69f162997c9771f830fe5248ade961d50a2abbfa2633bd28d90310d30710e23f6

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll

MD5 cd68777721d728fe1f0417afd2a7b8fa
SHA1 2b245556966182e297eca0a53e1af9f732182272
SHA256 62023fd2449f16654306b645c1617aeb84c913778ce128fa1c90840dd230361e
SHA512 93a500ee36496211d108d950d5b2877010d1544528fac16abc64a5798f535093a7a78f209b848527e6f559a6b4bd29317a4aa4afbac0be609afb946789a35e66

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll

MD5 64fa89fe1bdc88ef8db4cc8c7c8319ec
SHA1 e1aff65c5b65a6a06303d5fe3bb9b8b6cdf5921b
SHA256 863b48351587489dc53337324d2d0602f6df57cc51b39d5713cf4bbec9046621
SHA512 11af835730f761ba86f518bd8d18425287fbb25f49faaa2d82defc84f7794d5684327e84f36b91ef57262828b0989d4a126e75fce30911eecc552c266223658c

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

MD5 2fc4d42f568c9fee6e069f7ea46d5cc0
SHA1 318429f05909b5d4097c2840d64029bc76d08d0f
SHA256 f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390
SHA512 8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll

MD5 696a91a6131e4b65613447be1819f060
SHA1 abc6ba263dfdddbbf145eccd81cf532fa62aebcb
SHA256 fa0178a7e38881f44890bee67da131f6aadd4361e7610ea66d27fb79bc90783b
SHA512 52622297054224cb9a882db26b06056d29fd6af0652e1fa2626313085562c19b456f4d392181e2fdb9638add3d00a1c77a86b8c46033d819a1b13b6a84c8f558

C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll

MD5 8c8d1140787da60a343dd11c1cdf4992
SHA1 a05114d3f8ff9d4b286668b31d47d85bf0fac434
SHA256 6aa1ece9dd340d05aec43248592a78b70d21959de8727f506d21a3a962348583
SHA512 79eeb1c69687cda2b92d9f57c6cd65dd959e6ace7f21d5783b8957c07f023d8250a249018a2d158b20654fcfd40cbe73a8aa1304d9310d0cb65d45d721fc08ba

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll

MD5 77055f17bb0ddb795ef3a63ca0039bac
SHA1 433d647221c9bb54c3c76be44eed0c6a67b0a0de
SHA256 20f7fa3c8ab200d87ffa9f58c2700ab393893291338090ec900b6111ca561040
SHA512 5aab26f303672c3d745c303ea54ed5891529a0cc5860a4fb8fbb33abc2559ac064c44ea1a943301bd399f2616dd1e15d358474b1089d1cb11eb046d88d9d8d04

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll

MD5 c9dab12378f3f914ed34c23494ce74c0
SHA1 69c14443b2ebb2f1e726243288aab1d12b97db37
SHA256 18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705
SHA512 150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

memory/1312-145-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-146-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-147-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-148-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-149-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-150-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-151-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-152-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-153-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-154-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-155-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-156-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-157-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-158-0x0000000000570000-0x000000000072E000-memory.dmp

memory/1312-159-0x0000000000570000-0x000000000072E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-29 08:20

Reported

2023-05-29 08:23

Platform

win7-20230220-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01764099.exe"

Signatures

Agenda Ransomware

ransomware agenda

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CopyWrite.tiff C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Characters\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Savanna\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Heritage\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Offline Web Pages\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Garden\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPTKCP3O\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Sonata\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4EJGXEBJ\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Delta\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Raga\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Festival\Desktop.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NGR00.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR50006.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\it-IT\SensorsAlsDriver.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\cryptxml.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\apilogen.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\dvdupgrd.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_300.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidirkbd.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NOJAB.DXT C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1393E3.PPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYKM2550.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\nete1e3e.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\prnin003.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\eventvwr.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Enterprise\license.rtf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\cxfalpal_ibv64.inf_amd64_neutral_4c42ac5f00413365\cxfalcon_IBV64.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzstw72.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\qmgr.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\odbcji32.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\prnin003.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\prnlx00e.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\dot3svc.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\hgcpl.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\ctfmon.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\AudioSes.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\C_20277.NLS C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\AudioSrv.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\FolderProvider.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00f.inf_amd64_neutral_a5f6001b957bd7e0\Amd64\EP0NGN8C.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\getuname.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\C_20003.NLS C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LLP00.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0009\_setup.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAPS-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5300t.gpd C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\xchalVx64.sys C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\mfcm120u.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\dot3cfg.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\ramdisk.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\Ph3xIBC12.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPW9800T.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\wialx003.PNF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\olecli32.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\azroleui.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD150C.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC20006.GPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\bthprint.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\gpupdate.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmvdot.inf_amd64_neutral_714bc6a3a28b9f0f\mdmvdot.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\prnlx002.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc303.inf_amd64_ja-jp_b0dcc6693f67451a\Amd64\RI1352D3.PPD C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\sppcommdlg.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca003.inf_amd64_neutral_8e91d4aa9330d2f8\prnca003.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\Brmf3wia.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\comctl32.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\IPHLPAPI.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\lltdio.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\mdmhayes.inf_loc C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\WerFaultSecure.exe.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SampleContent-Music-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01123_.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216516.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR11.POC C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_hov.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Premium.css C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\FUNCRES.XLAM C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185778.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLLIBR.DLL.IDX_DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185800.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0185604.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OEMPRINT.CAT C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Accra C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx26410b_plugin.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_es_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\86550fdda6994a9c192d7a0b9b59ee5b\Microsoft.WSMan.Runtime.ni.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\mdmmcom.PNF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\fr-FR\MMC.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\Windows\es-ES\blutooth.h1s C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\UIAutomationTypes\91def75d3d91a7f7c698cd5c736ca52f\UIAutomationTypes.ni.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Cursors\busy_im.cur C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Cursors\up_l.cur C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ehome\it-IT\playReady_eula_oem.txt C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Cursors\busy_r.cur C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\diagnostics\system\Networking\es-ES\DiagPackage.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Installer\31fc4.msi C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallWebEventSqlProvider.sql C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.resources\3.0.0.0_it_31bf3856ad364e35\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\4bfa36696bef033cf7e33b1a092c8a0f\Microsoft.VisualC.ni.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\ehome\es-ES\ehchsime.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\Windows\fr-FR\Recopack.h1s C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Common.v9.0.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\Windows\es-ES\iisbasic.h1s C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.StackTrace.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~zh-HK~7.1.7601.16492.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\es-ES\HotStart.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~hr-HR~7.1.7601.16492.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\it\WsatConfig.resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\en-US\NetworkProjection.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\aspnetmmcext.resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\hcw85b64.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.ja.resx C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\Windows\fr-FR\uap.h1s C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\prnrc302.inf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\fr-FR\Logon.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Xps-Foundation-Client-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Diagnostics\14.0.0.0__71e9bce111e9429c\microsoft.office.businessapplications.diagnostics.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Cityscape\Windows Critical Stop.wav C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PLA\Reports\Report.System.Summary.xml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\0012\aspnet_perf.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Media\Delta\Windows Feed Discovered.wav C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\fr-FR\WinInit.adml C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\Windows\en-US\mobile.h1s C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\ServiceModelOperation 3.0.0.0\_ServiceModelOperationPerfCounters.ini C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\diagnostics\system\PCW\fr-FR\DiagPackage.dll.mui C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Help\mui\0409\nfs_.CHM C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.tlb C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Entity.Design.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.resources\2.0.0.0_ja_b77a5c561934e089\system.data.sqlxml.resources.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Fonts\symbol.ttf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\inf\prnlx00c.PNF C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\schemas\EAPMethods\mspeapconnectionpropertiesv1.xsd C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\9a939c85c518e958f158f5d5d75af50e\PresentationFramework-SystemCore.ni.dll C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Fonts\trebucit.ttf C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.es.resx C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01764099.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01764099.exe

"C:\Users\Admin\AppData\Local\Temp\01764099.exe"

Network

N/A

Files

memory/1520-54-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-55-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-56-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-58-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-59-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-60-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-61-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-62-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-63-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-64-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-65-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-66-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-67-0x0000000000170000-0x000000000032E000-memory.dmp

memory/1520-68-0x0000000000170000-0x000000000032E000-memory.dmp