Analysis Overview
score
10/10
SHA256
efb2e91cc711557415c3c4650a314c01e46d0ddc62808032edc9fe4961ad06fa
Threat Level: Known bad
The file 11097017147.zip was found to be: Known bad.
Malicious Activity Summary
Agenda family
Agenda Ransomware
Drops file in Drivers directory
Modifies extensions of user files
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-05 14:38
Signatures
Agenda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-05 14:38
Reported
2023-07-05 14:40
Platform
win7-20230703-en
Max time kernel
150s
Max time network
32s
Command Line
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
Signatures
Agenda Ransomware
Drops file in Drivers directory
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\UndoLimit.tiff | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\pcmcia.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\eudcedit.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\clb.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\dhcpsapi.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\msrle32.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\FXSRESM.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\mssvp.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\secedit.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\wldap32.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\msoert2.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBDR4_5.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR4181E3.PPD | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\wzcdlg.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ieapfltr.dat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\iscsicpl.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\ncpa.cpl.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\ncpa.cpl.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\license.rtf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\DWWIN.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.gpd | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\rdpbus.PNF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\dmdskres.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGX8T.GPD | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\bitsadmin.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\comexp.msc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYW7QUR7.XML | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smx624.ppd | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\logman.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP11.GPD | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\IPMIDrv.sys | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\netevbda.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\ComputerDefaults.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientEnterprise~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-PremiumInboxGames-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\CNHF1UI.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\streamci.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\wiabr007.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\audiodev.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\cmutil.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\DHCPQEC.DLL.MUI | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\hdwwiz.cpl.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_295.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA2.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\colorui.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\httpapi.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\adtschema.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Killbits-Package~31bf3856ad364e35~amd64~~8.0.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\prnhp002.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\prnky306.PNF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\msieftp.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LA1311E3.PPD | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\cleanmgr.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\netr28x.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\bthprint.PNF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\prngt004.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLIP.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\weather.css | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cs.txt | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\ext\jaccess.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\defaultagent_localized.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\WinMail.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.Speech.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\cpu.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\j2pcsc.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmicrodns_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\it-IT\WMPDMC.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\jsdebuggeride.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00532_.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00530_.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfr.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.XML | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OrielFax.Dotx | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadce.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-crescent_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\c9bdcf9e45459b60e542e8f270de0c52\Accessibility.ni.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\prnge001.PNF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.resx | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.ApplicationId.RuleWizard.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\es\System.ServiceModel.Install.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\ja-JP\sdiageng.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\en-US\bootfix.bin | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\verdana.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\BOD_CR.TTF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\prnrc302.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\NETFXRepair.2052.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml.84e525b7#\26111428db03f2a918b2deb8029871c4\System.Xml.Serialization.ni.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de\ComSvcConfig.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardFinish.ascx.resx | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\ja-JP\sdiagschd.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\System.Deployment.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Deployment.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\system.identitymodel.resources\3.0.0.0_es_b77a5c561934e089\System.IdentityModel.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0410\ipsecmonitor.CHM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\de-DE\recycle.h1s | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\ehiwmp\6.1.0.0__31bf3856ad364e35\ehiwmp.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\editUser.aspx.resx | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Package_for_KB2534111~31bf3856ad364e35~amd64~~6.1.1.0.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\upcebi.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmzyxlg.PNF | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.DurableInstancing.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft.Build.xsd | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\ja-JP\DeviceInstallation.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\PresentationCore.resources\3.0.0.0_it_31bf3856ad364e35\PresentationCore.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Xml.Linq\164d9beb2bf9b6160593f915a2d9aa6d\System.Xml.Linq.ni.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0407\cmak_ops.CHM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\es\Tracking_Schema.sql | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\normnfkc.nlp | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe.config | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PLA\Rules\fr-FR\Rules.System.Memory.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0407\tpmadmin.CHM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config.comments | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PLA\Rules\it-IT\Rules.System.Summary.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\de-DE\RPC.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\it-IT\RemoteAssistance.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\040C\taskscheduler.CHM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Installer\30d3.msi | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\InstallUtil.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\e27ae693b6e71bb689ec66761a65901f\System.ServiceModel.ni.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Device\TS_DeviceDisabled.ps1 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\rdpbus.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Speech\Engines\SR\ja-JP\am031041.am | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35\Microsoft.ManagementConsole.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Power\en-US\Power_Troubleshooter.psd1 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\corbeli.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\tahomabd.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Resources.Reader.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0407\authm.CHM | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\ESENT\040C\esentprf.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\inf\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.h | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\it-IT\UserProfiles.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\seguisym.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
Network
N/A
Files
memory/2196-54-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-55-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-56-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-58-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-59-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-60-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-61-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-62-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-63-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-64-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-65-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-66-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-68-0x0000000000A60000-0x0000000000C1E000-memory.dmp
memory/2196-69-0x0000000000A60000-0x0000000000C1E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-05 14:38
Reported
2023-07-05 14:40
Platform
win10v2004-20230703-en
Max time kernel
150s
Command Line
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
Signatures
Agenda Ransomware
Drops file in Drivers directory
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\ApproveEnable.tiff | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme1\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Fonts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme2\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\wmiprop.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ProfessionalEdition~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\P6DISP.GPD | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Containers-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\urschipidea.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\c_camera.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\icsunattend.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\winver.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\es-ES\ServDeps.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\fr-FR\netnccim_uninstall.mfl | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA364xp.bin | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\MSxpsPCL6.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows.internal.shellcommon.TokenBrokerModal.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\authfwgp.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\netl160a.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\rdpbus.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\1394.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDTIFI.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SearchProtocolHost.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windows.Devices.WiFiDirect.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmpace.inf_amd64_5e0fbd01da4f7c7b\mdmpace.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\F12\ja-JP\F12Platform2.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mfc110chs.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sort.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\es-ES\xml.xsl | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\biwinrt.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\dot3gpui.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\net1yx64.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fi-FI\cdosys.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\machine.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iprtrmgr.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataAdapter.ps1 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\ksfilter.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\sisraid4.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iscsidsc.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\stdole2.tlb | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\it-IT\VhdProvider.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DMRCDecoder.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\c_sensor.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\TetheringService.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\fr-FR\storagewmi_passthru_uninstall.mfl | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcNetworkSettingTask_v1.0.cdxml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\downlevel\api-ms-win-security-base-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\nett4x64.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\c_fsundelete.inf_amd64_741f159cc6ce7814\c_fsundelete.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.004 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\Fonts\StorMDL2.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\7.jpg | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-150_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\af_get.svg | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\WideTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\jdwp.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-125.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\DefaultResourceDictionary.xaml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-250.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sq.pak | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\msvcp140_2_app.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mraut.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-100.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsData0011.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_cht4sx64.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_b842c4caa709c970\cht4sx64.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-inputprocessors_31bf3856ad364e35_10.0.19041.746_none_783ec1d1dc7110ea\r\MtfDecoder.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_40c2e17b359e3072\pegi-pt.rs.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\loader.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-containers-ccg_31bf3856ad364e35_10.0.19041.844_none_3a7392af5414371e\r\CCG.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\INF\ServiceModelService 3.0.0.0\0000\_ServiceModelServicePerfCounters_D.ini | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-devicepropertymanager_31bf3856ad364e35_10.0.19041.1_none_72d9172d5ef89c93\DevPropMgr.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_10.0.19041.1_none_b6b7b206d4b9d895\fc.exe | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-g..ion-winrt.resources_31bf3856ad364e35_10.0.19041.1_es-es_393729fea530ed2c\Geolocation.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\InboxFodMetadataCache\metadata\Msix.PackagingTool.Driver~~1.0.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_mdmirmdm.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_f35f24d895a538f3\mdmirmdm.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-codepage-core_31bf3856ad364e35_10.0.19041.1_none_ecc5d2879c840ab0\C_28593.NLS | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_10.0.19041.1_de-de_ace462250daf2aaa\OfflineFilesWmiProvider_Uninstall.mfl | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\INF\athw8x.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\it-IT\Reliability.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-msmq-dcomproxy-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-e..-management-onecore_31bf3856ad364e35_10.0.19041.844_none_97ef5f6f3319407d\f\EnterpriseAppMgmtSvc.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol_31bf3856ad364e35_10.0.19041.1202_none_881548dfbfc9556a\moshost.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\Splashscreen.scale-80.png | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\35e71ddd80b7908e1a8311173ffd6ff1\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_54a14e6536c93ad6\certmgr.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-credwiz.resources_31bf3856ad364e35_10.0.19041.1_it-it_52a08bbc2d12c4bd\credwiz.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-inkfree_31bf3856ad364e35_10.0.19041.1081_none_87beae98bb645f2f\f\Inkfree.ttf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..cementmanifests-com_31bf3856ad364e35_10.0.19041.1_none_6de2419ac25e4592\Microsoft.Windows.COM.DTC.Setup-Replacement.man | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_displayoverride.inf_31bf3856ad364e35_10.0.19041.1_none_323aab02875f9703\displayoverride.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_megasr.inf_31bf3856ad364e35_10.0.19041.1_none_f8e752cd83d0ece6\megasr.sys | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\1031\admin.chm | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\it-IT\W32Time.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Sessions\31042989_955721364.xml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalaccount-page.js | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-i..stencemigration-net_31bf3856ad364e35_10.0.19041.1_none_61a1cf633b14d3fb\NetworkConnectivityStatus.psd1 | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-inetres-adm.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_8850b30f44f96c52\InetRes.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..owershell.resources_31bf3856ad364e35_10.0.19041.1_it-it_0314a2ee86868645\Microsoft.Msmq.Powershell.Commands.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Web.Services.Resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_usbvideo.inf_31bf3856ad364e35_10.0.19041.1202_none_27bd1529e8f0be36\r\SecureUSBVideo.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-eapteap_31bf3856ad364e35_10.0.19041.1081_none_969160880ebb6db2\EapTeapAuth.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-f...appxmain.resources_31bf3856ad364e35_10.0.19041.1_es-es_04e1d3ef9ccc345c\resources.es-ES.pri | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe.config | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0001045a_31bf3856ad364e35_10.0.19041.1_none_559a5c8fe877b6b3\KBDSYR2.DLL | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..ityuxhost.resources_31bf3856ad364e35_10.0.19041.1_it-it_01ac3dde909aa629\ProximityUxHost.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.TextToSpeech~zh-hk~1.0.mum | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_machine.inf_31bf3856ad364e35_10.0.19041.1202_none_8111a792f090a2a2\f\machine.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_hyperv-worker-events_31bf3856ad364e35_10.0.19041.1_none_d605c8ca8c7160ff\vmwpevents.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_machine.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_29ce672f4aa92c51\machine.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-lxss-manager_31bf3856ad364e35_10.0.19041.1202_none_f31e7d867ff69c65\f\LxssManager.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..r-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d37d97b57b0df97\wpnprv.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\es\SqlWorkflowInstanceStoreLogic.sql | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_iastorav.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_a08116a658dd8d53\iastorav.inf_loc | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084\authui.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-mfplat.resources_31bf3856ad364e35_10.0.19041.1_es-es_ba98ab56d5cc48bb\mfplat.dll.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\INF\net7400-x64-n650.inf | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Data.OracleClient.resources.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\en-US\wlansvc.adml | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-accountscontrol-api_31bf3856ad364e35_10.0.19041.264_none_5042c4d9e97545f8\r\Windows.AccountsControl.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-choice.resources_31bf3856ad364e35_10.0.19041.1_de-de_7e143e46b9f0aeac\choice.exe.mui | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ment-policytools-ex_31bf3856ad364e35_10.0.19041.1_none_0f506321e073254e\Security Configuration Management.lnk | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
| File opened for modification | C:\Windows\Boot\EFI\kd_02_14e4.dll | C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Network
N/A
Files
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
| MD5 | 2fc4d42f568c9fee6e069f7ea46d5cc0 |
| SHA1 | 318429f05909b5d4097c2840d64029bc76d08d0f |
| SHA256 | f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390 |
| SHA512 | 8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
| MD5 | c9dab12378f3f914ed34c23494ce74c0 |
| SHA1 | 69c14443b2ebb2f1e726243288aab1d12b97db37 |
| SHA256 | 18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705 |
| SHA512 | 150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9 |
memory/1992-135-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-136-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-137-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-138-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-139-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-141-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-142-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-143-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-144-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-145-0x0000000000B00000-0x0000000000CBE000-memory.dmp
memory/1992-146-0x0000000000B00000-0x0000000000CBE000-memory.dmp